void doit(void) { gnutls_certificate_credentials_t serv_cred; gnutls_certificate_credentials_t cli_cred; int ret; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); assert(gnutls_certificate_allocate_credentials(&cli_cred) >= 0); ret = gnutls_certificate_set_x509_trust_mem(cli_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_key_mem(cli_cred, &clidsa_ca3_cert, &clidsa_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("error in error code: %s\n", gnutls_strerror(ret)); exit(1); } /* test gnutls_certificate_flags() */ gnutls_certificate_allocate_credentials(&serv_cred); gnutls_certificate_set_flags(serv_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH); ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_key_mem(serv_cred, &server_ca3_localhost_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("error in error code\n"); exit(1); } test_cli_serv_cert(serv_cred, cli_cred, "NORMAL:+DHE-DSS:+SIGN-DSA-SHA1", "NORMAL:-DHE-DSS:-SIGN-DSA-SHA1", "localhost"); gnutls_certificate_free_credentials(serv_cred); gnutls_certificate_free_credentials(cli_cred); gnutls_global_deinit(); if (debug) success("success"); }
void doit(void) { gnutls_certificate_credentials_t x509_cred; gnutls_certificate_credentials_t clicred; int ret; unsigned idx; #if !defined(HAVE_LIBIDN2) exit(77); #endif /* this must be called once in the program */ global_init(); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2); ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); idx = import_key(x509_cred, &server_ca3_key, &server_ca3_localhost_cert_chain); assert(idx == 0); idx = import_key(x509_cred, &server_ca3_key, &server_ca3_localhost_utf8_cert); assert(idx == 1); test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); test_cli_serv(x509_cred, clicred, "NORMAL", "www.xn--kxawhku.com", NULL, NULL, NULL); /* the previous name in IDNA format */ test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */ test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */ test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN); gnutls_certificate_free_credentials(x509_cred); gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); if (debug) success("success"); }
void doit(void) { int ret; gnutls_certificate_credentials_t xcred; gnutls_certificate_credentials_t clicred; const char *certfile; const char *ocspfile1; char certname[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE]; time_t t; FILE *fp; global_init(); gnutls_global_set_time_function(mytime); assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); certfile = get_tmpname(certname); fp = fopen(certfile, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0); assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); fclose(fp); /* set cert with localhost name */ ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, certfile, GNUTLS_X509_FMT_PEM, NULL, 0); if (ret < 0) fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); fp = fopen(certfile, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0); assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); fclose(fp); gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); /* set OCSP response */ ocspfile1 = get_tmpname(ocspname1); fp = fopen(ocspfile1, "wb"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0); fclose(fp); ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0); if (ret < 0) fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 0, 0); if (t != 1511689427) fail("error in OCSP validity time: %ld\n", (long int)t); t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 1, 0); if (t != -1) fail("error in OCSP validity time: %ld\n", (long int)t); t = gnutls_certificate_get_ocsp_expiration(xcred, 0, -1, 0); if (t != 1511689427) fail("error in OCSP validity time: %ld\n", (long int)t); /* make sure that our invalid OCSP responses are not considered in verification */ gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS); if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS) fail("error in gnutls_certificate_set_verify_flags\n"); ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); } test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */ test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */ gnutls_certificate_free_credentials(xcred); gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); remove(ocspfile1); remove(certfile); }