/**
* gnutls_x509_trust_list_verify_crt:
* @list: The structure of the list
* @cert_list: is the certificate list to be verified
* @cert_list_size: is the certificate list size
* @flags: Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.
* @voutput: will hold the certificate verification output.
* @func: If non-null will be called on each chain element verification with the output.
*
* This function will try to verify the given certificate and return
* its status. The @voutput parameter will hold an OR'ed sequence of
* %gnutls_certificate_status_t flags.
*
* The details of the verification are the same as in gnutls_x509_trust_list_verify_crt2().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.0
**/
int
gnutls_x509_trust_list_verify_crt(gnutls_x509_trust_list_t list,
gnutls_x509_crt_t * cert_list,
unsigned int cert_list_size,
unsigned int flags,
unsigned int *voutput,
gnutls_verify_output_function func)
{
return gnutls_x509_trust_list_verify_crt2(list, cert_list, cert_list_size,
NULL, 0, flags, voutput, func);
}
void doit(void)
{
char buf[128];
int exit_val = 0;
int ret;
unsigned j;
const char *lib, *bin;
gnutls_x509_crt_t issuer = NULL;
gnutls_x509_trust_list_t tl;
gnutls_x509_crt_t certs[MAX_CHAIN];
gnutls_x509_crt_t end, ca;
unsigned verify_status = 0;
gnutls_datum_t tmp;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
bin = softhsm_bin();
lib = softhsm_lib();
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pkcs11_set_pin_function(pin_func, NULL);
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
set_softhsm_conf(CONFIG);
snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin);
system(buf);
ret = gnutls_pkcs11_add_provider(lib, "trusted");
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
for (j = 0; ca_list[j]; j++) {
if (debug > 2)
printf("\tAdding certificate %d...",
(int) j);
ret = gnutls_x509_crt_init(&certs[j]);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_init[%d,%d]: %s\n",
(int) 3, (int) j,
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) ca_list[j];
tmp.size = strlen(ca_list[j]);
ret =
gnutls_x509_crt_import(certs[j], &tmp,
GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf("done\n");
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_import[%d]: %s\n",
(int) j,
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(certs[j],
GNUTLS_CRT_PRINT_ONELINE,
&tmp);
if (debug)
printf("\tCertificate %d: %.*s\n", (int) j,
tmp.size, tmp.data);
gnutls_free(tmp.data);
}
if (debug > 2)
printf("\tAdding end certificate...");
ret = gnutls_x509_crt_init(&end);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) v1_root_check[0];
tmp.size = strlen(v1_root_check[0]);
ret =
gnutls_x509_crt_import(end, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tEnd Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
ret = gnutls_x509_crt_init(&ca);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) v1_root_check[1];
tmp.size = strlen(v1_root_check[1]);
ret =
gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tCA Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
if (debug > 2)
printf("done\n");
if (debug)
printf("\tChecking presence and verification...");
/* initialize softhsm token */
ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
if (ret < 0) {
fail("gnutls_pkcs11_token_init\n");
exit(1);
}
/* write CA certificate to softhsm */
for (j = 0; ca_list[j]; j++) {
char name[64];
snprintf(name, sizeof(name), "test-ca%d", j);
ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO);
if (ret < 0) {
fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
exit(1);
}
}
gnutls_x509_trust_list_init(&tl, 0);
ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_trust_file\n");
exit(1);
}
ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_cas\n");
exit(1);
}
/* extract the issuer of the certificate */
ret = gnutls_x509_trust_list_get_issuer(tl, end, &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0) {
fail("gnutls_x509_trust_list_get_issuer should have succeeded\n");
exit(1);
}
gnutls_x509_crt_deinit(issuer);
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, ca, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret != 0) {
fail("gnutls_pkcs11_crt_is_known should have failed!\n");
exit(1);
}
ret = gnutls_x509_trust_list_verify_crt2(tl, &end, 1,
NULL, 0,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, &verify_status, NULL);
if (ret < 0) {
fail("gnutls_x509_trust_list_verify_crt2 should have succeeded\n");
exit(1);
}
if (verify_status != 0) {
fail("verification should have succeeded: %.2x\n", verify_status);
exit(1);
}
if (debug)
printf("\tCleanup...");
gnutls_x509_trust_list_deinit(tl, 0);
gnutls_x509_crt_deinit(ca);
gnutls_x509_crt_deinit(end);
for (j = 0; ca_list[j]; j++) {
gnutls_x509_crt_deinit(certs[j]);
}
if (debug)
printf("done\n\n\n");
gnutls_global_deinit();
if (debug)
printf("Exit status...%d\n", exit_val);
remove(CONFIG);
exit(exit_val);
}
