void doit(void)
{
gnutls_certificate_credentials_t x509_cred;
gnutls_certificate_credentials_t clicred;
int ret;
unsigned idx;
#if !defined(HAVE_LIBIDN2)
exit(77);
#endif
/* this must be called once in the program
*/
global_init();
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2);
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
idx = import_key(x509_cred, &server_ca3_key, &server_ca3_localhost_cert_chain);
assert(idx == 0);
idx = import_key(x509_cred, &server_ca3_key, &server_ca3_localhost_utf8_cert);
assert(idx == 1);
test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL);
test_cli_serv(x509_cred, clicred, "NORMAL", "www.xn--kxawhku.com", NULL, NULL, NULL); /* the previous name in IDNA format */
test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */
test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */
test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN);
gnutls_certificate_free_credentials(x509_cred);
gnutls_certificate_free_credentials(clicred);
gnutls_global_deinit();
if (debug)
success("success");
}
void doit(void)
{
gnutls_datum_t out;
gnutls_x509_crq_t crq;
gnutls_global_set_time_function(mytime);
crq = generate_crq();
run_set_extensions(crq);
run_set_extension_by_oid(crq);
assert(gnutls_x509_crq_export2(crq, GNUTLS_X509_FMT_PEM, &out) >= 0);
#ifdef HAVE_LIBIDN
assert(out.size == saved_crq.size);
assert(memcmp(out.data, saved_crq.data, out.size)==0);
#endif
gnutls_free(out.data);
gnutls_x509_crq_deinit(crq);
}
void
doit (void)
{
int exit_val = 0;
size_t i;
int ret;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
ret = gnutls_global_init ();
if (ret != 0)
{
fail ("%d: %s\n", ret, gnutls_strerror (ret));
exit (EXIT_FAILURE);
}
gnutls_global_set_time_function (mytime);
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
for (i = 0; chains[i].chain; i++)
{
unsigned int verify_status;
gnutls_x509_crt_t certs[4];
gnutls_x509_crt_t ca;
gnutls_datum_t tmp;
size_t j;
if (debug)
printf ("Chain '%s' (%d)...\n", chains[i].name, (int) i);
for (j = 0; chains[i].chain[j]; j++)
{
if (debug > 2)
printf ("\tAdding certificate %d...", (int) j);
ret = gnutls_x509_crt_init (&certs[j]);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_init[%d,%d]: %s",
(int) i, (int) j, gnutls_strerror (ret));
tmp.data = (unsigned char *) chains[i].chain[j];
tmp.size = strlen (chains[i].chain[j]);
ret = gnutls_x509_crt_import (certs[j], &tmp, GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf ("done\n");
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_import[%d,%d]: %s",
(int) i, (int) j, gnutls_strerror (ret));
gnutls_x509_crt_print (certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf ("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data);
gnutls_free (tmp.data);
}
if (debug > 2)
printf ("\tAdding CA certificate...");
ret = gnutls_x509_crt_init (&ca);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_init: %s",
gnutls_strerror (ret));
tmp.data = (unsigned char *) *chains[i].ca;
tmp.size = strlen (*chains[i].ca);
ret = gnutls_x509_crt_import (ca, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_import: %s",
gnutls_strerror (ret));
if (debug > 2)
printf ("done\n");
gnutls_x509_crt_print (ca, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf ("\tCA Certificate: %.*s\n", tmp.size, tmp.data);
gnutls_free (tmp.data);
if (debug)
printf ("\tVerifying...");
ret = gnutls_x509_crt_list_verify (certs, j,
&ca, 1, NULL, 0,
chains[i].verify_flags,
&verify_status);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify[%d,%d]: %s",
(int) i, (int) j, gnutls_strerror (ret));
if (verify_status != chains[i].expected_verify_result)
{
fail ("chain[%s]: verify_status: %d expected: %d\n", chains[i].name,
verify_status, chains[i].expected_verify_result);
#if 0
j = 0;
do
{
fprintf (stderr, "%s\n", chains[i].chain[j]);
}
while (chains[i].chain[++j] != NULL);
#endif
if (!debug)
exit (1);
}
else if (debug)
printf ("done\n");
if (debug)
printf ("\tCleanup...");
gnutls_x509_crt_deinit (ca);
for (j = 0; chains[i].chain[j]; j++)
gnutls_x509_crt_deinit (certs[j]);
if (debug)
printf ("done\n\n\n");
}
gnutls_global_deinit ();
if (debug)
printf ("Exit status...%d\n", exit_val);
exit (exit_val);
}
void doit(void)
{
int exit_val = 0;
size_t i;
int ret;
gnutls_x509_trust_list_t tl;
unsigned int verify_status;
gnutls_x509_crl_t crl;
gnutls_x509_crt_t ca;
gnutls_datum_t tmp;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
for (i = 0; crl_list[i].name; i++) {
if (debug)
printf("Chain '%s' (%d)...\n", crl_list[i].name,
(int) i);
if (debug > 2)
printf("\tAdding CRL...");
ret = gnutls_x509_crl_init(&crl);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crl_init[%d]: %s\n",
(int) i,
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) *crl_list[i].crl;
tmp.size = strlen(*crl_list[i].crl);
ret =
gnutls_x509_crl_import(crl, &tmp,
GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf("done\n");
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crl_import[%s]: %s\n",
crl_list[i].name,
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crl_print(crl,
GNUTLS_CRT_PRINT_ONELINE,
&tmp);
if (debug)
printf("\tCRL: %.*s\n",
tmp.size, tmp.data);
gnutls_free(tmp.data);
if (debug > 2)
printf("\tAdding CA certificate...");
ret = gnutls_x509_crt_init(&ca);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) *crl_list[i].ca;
tmp.size = strlen(*crl_list[i].ca);
ret =
gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (debug > 2)
printf("done\n");
gnutls_x509_crt_print(ca, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tCA Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
if (debug)
printf("\tVerifying...");
ret = gnutls_x509_crl_verify(crl, &ca, 1, crl_list[i].verify_flags,
&verify_status);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_list_verify[%d]: %s\n",
(int) i, gnutls_strerror(ret));
exit(1);
}
if (verify_status != crl_list[i].expected_verify_result) {
gnutls_datum_t out1, out2;
gnutls_certificate_verification_status_print
(verify_status, GNUTLS_CRT_X509, &out1, 0);
gnutls_certificate_verification_status_print(crl_list
[i].
expected_verify_result,
GNUTLS_CRT_X509,
&out2,
0);
fail("chain[%s]:\nverify_status: %d: %s\nexpected: %d: %s\n", crl_list[i].name, verify_status, out1.data, crl_list[i].expected_verify_result, out2.data);
gnutls_free(out1.data);
gnutls_free(out2.data);
if (!debug)
exit(1);
} else if (debug)
printf("done\n");
gnutls_x509_trust_list_init(&tl, 0);
ret =
gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0);
if (ret != 1) {
fail("gnutls_x509_trust_list_add_trust_mem\n");
exit(1);
}
/* make sure that the two functions don't diverge */
ret = gnutls_x509_trust_list_add_crls(tl, &crl, 1, GNUTLS_TL_VERIFY_CRL, crl_list[i].verify_flags);
if (crl_list[i].expected_verify_result == 0 && ret < 0) {
fprintf(stderr,
"gnutls_x509_trust_list_add_crls[%d]: %s\n",
(int) i, gnutls_strerror(ret));
exit(1);
}
if (crl_list[i].expected_verify_result != 0 && ret > 0) {
fprintf(stderr,
"gnutls_x509_trust_list_add_crls[%d]: succeeded when it shouldn't\n",
(int) i);
exit(1);
}
if (debug)
printf("\tCleanup...");
gnutls_x509_trust_list_deinit(tl, 0);
gnutls_x509_crt_deinit(ca);
gnutls_x509_crl_deinit(crl);
if (debug)
printf("done\n\n\n");
}
gnutls_global_deinit();
if (debug)
printf("Exit status...%d\n", exit_val);
exit(exit_val);
}
void doit(void)
{
int ret;
gnutls_datum_t data;
gnutls_x509_crt_t *crts;
unsigned int crts_size, i;
gnutls_x509_trust_list_t tl;
unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
unsigned int not_flags = GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
/* test for gnutls_certificate_get_issuer() */
gnutls_x509_trust_list_init(&tl, 0);
ret =
gnutls_x509_trust_list_add_trust_mem(tl, &ca, NULL,
GNUTLS_X509_FMT_PEM, 0,
0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_trust_mem\n");
exit(1);
}
/* Chain 1 */
data.data = (void *) chain1;
data.size = sizeof(chain1);
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags,
&status, NULL);
if (ret < 0 || status != 0) {
fail("gnutls_x509_trust_list_verify_crt - 1\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
/* Chain 2 */
data.data = (void *) chain2;
data.size = sizeof(chain2);
/* verify whether the GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag is
* considered by gnutls_x509_crt_list_import2() */
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret != GNUTLS_E_CERTIFICATE_LIST_UNSORTED) {
fail("gnutls_x509_crt_list_import2 with flag GNUTLS_E_CERTIFICATE_LIST_UNSORTED on unsorted chain didn't fail: %s\n", gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags,
&status, NULL);
if (ret < 0 || status != 0) {
fail("gnutls_x509_trust_list_verify_crt - 2\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
/* Chain 3 */
data.data = (void *) chain3;
data.size = sizeof(chain3);
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags,
&status, NULL);
if (ret < 0 || status != 0) {
fail("gnutls_x509_trust_list_verify_crt - 3\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
/* Chain 4 */
data.data = (void *) chain4;
data.size = sizeof(chain4);
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags,
&status, NULL);
if (ret < 0 || status != 0) {
fail("gnutls_x509_trust_list_verify_crt - 4\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
/* Check if an unsorted list would fail if the unsorted flag is not given */
data.data = (void *) chain2;
data.size = sizeof(chain2);
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size,
not_flags, &status, NULL);
if (ret < 0 || status == 0) {
fail("gnutls_x509_trust_list_verify_crt - 5\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
gnutls_x509_trust_list_deinit(tl, 1);
gnutls_global_deinit();
if (debug)
success("success");
}
void
doit (void)
{
int ret;
gnutls_datum_t data;
gnutls_x509_crt_t server_crt, ca_crt;
gnutls_x509_trust_list_t tl;
unsigned int status;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_time_function (mytime);
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (6);
/* test for gnutls_certificate_get_issuer() */
gnutls_x509_trust_list_init(&tl, 0);
gnutls_x509_crt_init(&server_crt);
gnutls_x509_crt_init(&ca_crt);
ret = gnutls_x509_crt_import(server_crt, &cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import");
ret = gnutls_x509_crt_import(ca_crt, &ca, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import");
ret = gnutls_x509_trust_list_add_cas(tl, &ca_crt, 1, 0);
if (ret < 0)
fail("gnutls_x509_trust_list_add_cas");
ret = gnutls_x509_trust_list_add_named_crt(tl, server_crt, NAME, NAME_SIZE, 0);
if (ret < 0)
fail("gnutls_x509_trust_list_add_named_crt");
ret = gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0, &status, NULL);
if (ret < 0 || status != 0)
fail("gnutls_x509_trust_list_verify_crt\n");
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE, 0, &status, NULL);
if (ret < 0 || status != 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE-1, 0, &status, NULL);
if (ret < 0 || status == 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, "other", 5, 0, &status, NULL);
if (ret < 0 || status == 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
/* test convenience functions in verify-high2.c */
data.data = cert_pem;
data.size = strlen((char*)cert_pem);
ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_PEM, 0, 0);
if (ret < 1)
fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret));
data.data = cert_der;
data.size = sizeof(cert_der);
ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_DER, 0, 0);
if (ret < 1)
fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret));
gnutls_x509_trust_list_deinit(tl, 1);
gnutls_global_deinit();
if (debug) success("success");
}
void doit(void)
{
char buf[128];
int exit_val = 0;
int ret;
unsigned j;
const char *lib, *bin;
gnutls_x509_crt_t issuer = NULL;
gnutls_x509_trust_list_t tl;
gnutls_x509_crt_t certs[MAX_CHAIN];
gnutls_x509_crt_t end, ca;
unsigned verify_status = 0;
gnutls_datum_t tmp;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
bin = softhsm_bin();
lib = softhsm_lib();
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pkcs11_set_pin_function(pin_func, NULL);
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
set_softhsm_conf(CONFIG);
snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin);
system(buf);
ret = gnutls_pkcs11_add_provider(lib, "trusted");
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
for (j = 0; ca_list[j]; j++) {
if (debug > 2)
printf("\tAdding certificate %d...",
(int) j);
ret = gnutls_x509_crt_init(&certs[j]);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_init[%d,%d]: %s\n",
(int) 3, (int) j,
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) ca_list[j];
tmp.size = strlen(ca_list[j]);
ret =
gnutls_x509_crt_import(certs[j], &tmp,
GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf("done\n");
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_import[%d]: %s\n",
(int) j,
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(certs[j],
GNUTLS_CRT_PRINT_ONELINE,
&tmp);
if (debug)
printf("\tCertificate %d: %.*s\n", (int) j,
tmp.size, tmp.data);
gnutls_free(tmp.data);
}
if (debug > 2)
printf("\tAdding end certificate...");
ret = gnutls_x509_crt_init(&end);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) v1_root_check[0];
tmp.size = strlen(v1_root_check[0]);
ret =
gnutls_x509_crt_import(end, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tEnd Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
ret = gnutls_x509_crt_init(&ca);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) v1_root_check[1];
tmp.size = strlen(v1_root_check[1]);
ret =
gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tCA Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
if (debug > 2)
printf("done\n");
if (debug)
printf("\tChecking presence and verification...");
/* initialize softhsm token */
ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
if (ret < 0) {
fail("gnutls_pkcs11_token_init\n");
exit(1);
}
/* write CA certificate to softhsm */
for (j = 0; ca_list[j]; j++) {
char name[64];
snprintf(name, sizeof(name), "test-ca%d", j);
ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO);
if (ret < 0) {
fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
exit(1);
}
}
gnutls_x509_trust_list_init(&tl, 0);
ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_trust_file\n");
exit(1);
}
ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_cas\n");
exit(1);
}
/* extract the issuer of the certificate */
ret = gnutls_x509_trust_list_get_issuer(tl, end, &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0) {
fail("gnutls_x509_trust_list_get_issuer should have succeeded\n");
exit(1);
}
gnutls_x509_crt_deinit(issuer);
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, ca, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret != 0) {
fail("gnutls_pkcs11_crt_is_known should have failed!\n");
exit(1);
}
ret = gnutls_x509_trust_list_verify_crt2(tl, &end, 1,
NULL, 0,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, &verify_status, NULL);
if (ret < 0) {
fail("gnutls_x509_trust_list_verify_crt2 should have succeeded\n");
exit(1);
}
if (verify_status != 0) {
fail("verification should have succeeded: %.2x\n", verify_status);
exit(1);
}
if (debug)
printf("\tCleanup...");
gnutls_x509_trust_list_deinit(tl, 0);
gnutls_x509_crt_deinit(ca);
gnutls_x509_crt_deinit(end);
for (j = 0; ca_list[j]; j++) {
gnutls_x509_crt_deinit(certs[j]);
}
if (debug)
printf("done\n\n\n");
gnutls_global_deinit();
if (debug)
printf("Exit status...%d\n", exit_val);
remove(CONFIG);
exit(exit_val);
}
void doit(void)
{
int ret;
gnutls_x509_crt_t crt, ocrt;
unsigned keyusage;
const char *lib;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
gnutls_global_set_time_function(mytime);
if (debug) {
gnutls_global_set_log_level(4711);
success("loading lib %s\n", lib);
}
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, "trusted");
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
assert(gnutls_x509_crt_init(&crt)>=0);
assert(gnutls_x509_crt_init(&ocrt)>=0);
/* check high level certificate functions */
ret = gnutls_x509_crt_import_url(crt, "pkcs11:type=cert;object=cert1", 0);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_crt_import_url(ocrt, "pkcs11:type=cert;object=cert1", GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_crt_equals(crt, ocrt);
if (ret != 0) {
fail("exported certificates are equal!\n");
}
ret = gnutls_x509_crt_get_ca_status(ocrt, NULL);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (ret == 0) {
fail("overriden cert is not a CA!\n");
exit(1);
}
ret = gnutls_x509_crt_get_key_usage(ocrt, &keyusage, NULL);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (keyusage != (GNUTLS_KEY_KEY_ENCIPHERMENT|GNUTLS_KEY_ENCIPHER_ONLY|GNUTLS_KEY_KEY_CERT_SIGN)) {
fail("Extension does not have the expected key usage!\n");
}
gnutls_x509_crt_deinit(crt);
gnutls_x509_crt_deinit(ocrt);
if (debug)
printf("done\n\n\n");
gnutls_global_deinit();
}
void doit(void)
{
int exit_code = EXIT_SUCCESS;
int ret;
/* Server stuff. */
gnutls_certificate_credentials_t serverx509cred;
gnutls_session_t server;
int sret = GNUTLS_E_AGAIN;
/* Client stuff. */
gnutls_certificate_credentials_t clientx509cred;
gnutls_session_t client;
int cret = GNUTLS_E_AGAIN;
gnutls_datum_t data;
char buf[128];
/* General init. */
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
gnutls_global_set_time_function(mytime);
/* Init server */
gnutls_certificate_allocate_credentials(&serverx509cred);
gnutls_certificate_set_x509_key_mem(serverx509cred,
&server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
serverx509cred);
gnutls_set_default_priority(server);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, server);
/* Init client */
ret = gnutls_certificate_allocate_credentials(&clientx509cred);
if (ret < 0)
exit(1);
ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
exit(1);
ret = gnutls_init(&client, GNUTLS_CLIENT|GNUTLS_ENABLE_FALSE_START);
if (ret < 0)
exit(1);
ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
clientx509cred);
if (ret < 0)
exit(1);
gnutls_set_default_priority(client);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, client);
memset(buf, 0, sizeof(buf));
ret = gnutls_session_set_data(client, buf, sizeof(buf));
if (ret != GNUTLS_E_DB_ERROR) {
fail("unexpected error: %s\n", gnutls_strerror(ret));
}
HANDSHAKE(client, server);
/* try obtaining the resumption data. This should fail because
* the handshake is not yet complete (due to false start) */
ret = gnutls_session_get_data2(client, &data);
if (ret != GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE) {
fail("unexpected error: %s\n", gnutls_strerror(ret));
}
ret = gnutls_record_recv(client, buf, sizeof(buf));
if (ret < 0 && ret != GNUTLS_E_AGAIN) {
fail("unexpected error: %s\n", gnutls_strerror(ret));
}
ret = gnutls_session_get_data2(client, &data);
if (ret != 0) {
fail("unexpected error: %s\n", gnutls_strerror(ret));
}
gnutls_free(data.data);
gnutls_bye(client, GNUTLS_SHUT_RDWR);
gnutls_bye(server, GNUTLS_SHUT_RDWR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_certificate_free_credentials(serverx509cred);
gnutls_certificate_free_credentials(clientx509cred);
gnutls_global_deinit();
if (debug > 0) {
if (exit_code == 0)
puts("Self-test successful");
else
puts("Self-test failed");
}
}
static void client(int fd)
{
int ret;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
/* Need to enable anonymous KX specifically. */
gnutls_global_set_time_function(mytime);
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_NO_TICKETS);
/* Use default priorities */
gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) {
/* success */
goto end;
}
if (ret < 0) {
fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
terminate();
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}
int main(int argc, char *argv[]) {
int result;
pid_t pid;
unsigned int pk_bits;
gnutls_dh_params_t dh_params;
is_server_test = 0;
is_client_test = 0;
test_msg = 0;
if (argc == 4) {
if (strncmp(argv[1], "-s", 2) == 0) is_server_test = 1;
else if (strncmp(argv[1], "-c", 2) == 0) is_client_test = 1;
test_msg = atoi(argv[2]);
input_file = fopen(argv[3], "r");
}
msg_num = 0;
gnutls_session_t client_session;
gnutls_session_t server_session;
gnutls_certificate_credentials_t x509_cred;
// Initialize GNUTLS and add test certificates
result = gnutls_global_init();
gnutls_global_set_time_function(stuck_time);
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_trust_file(x509_cred, CAFILE, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_file(x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM);
pk_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_generate2(dh_params, pk_bits);
gnutls_certificate_set_dh_params(x509_cred, dh_params);
// Initialize the server session
gnutls_init(&server_session, GNUTLS_SERVER);
gnutls_credentials_set(server_session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_certificate_server_set_request(server_session, GNUTLS_CERT_IGNORE);
gnutls_set_default_priority(server_session);
gnutls_transport_set_push_function(server_session, server_push);
gnutls_transport_set_pull_function(server_session, server_pull);
gnutls_handshake_set_timeout(server_session, 0);
//Initialize the client session
gnutls_init(&client_session, GNUTLS_CLIENT);
gnutls_credentials_set(client_session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_set_default_priority(client_session);
gnutls_transport_set_push_function(client_session, client_push);
gnutls_transport_set_pull_function(client_session, client_pull);
// No timeout for handshake
gnutls_handshake_set_timeout(client_session, 0);
#ifdef __AFL_HAVE_MANUAL_CONTROL
__AFL_INIT();
#endif
pipe(client_to_server);
pipe(server_to_client);
pid = fork();
if (pid == 0)
{
// Running server session
close(client_to_server[1]);
close(server_to_client[0]);
do {
result = gnutls_handshake(server_session);
} while ( result != 0 && !gnutls_error_is_fatal(result) );
}
else
{
close(server_to_client[1]);
close(client_to_server[0]);
do {
result = gnutls_handshake(client_session);
} while ( result != 0 && !gnutls_error_is_fatal(result) );
}
return 0;
}
void doit(void)
{
gnutls_x509_privkey_t pkey;
gnutls_x509_crt_t crt;
gnutls_x509_crt_t crt2;
const char *err = NULL;
unsigned char buf[64];
gnutls_datum_t out;
size_t s = 0;
int ret;
ret = global_init();
if (ret < 0)
fail("global_init\n");
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_x509_crt_init(&crt);
if (ret != 0)
fail("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_init(&crt2);
if (ret != 0)
fail("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM);
if (ret != 0)
fail("gnutls_x509_crt_import\n");
ret = gnutls_x509_privkey_init(&pkey);
if (ret != 0)
fail("gnutls_x509_privkey_init\n");
ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM);
if (ret != 0)
fail("gnutls_x509_privkey_import\n");
/* Setup CRT */
ret = gnutls_x509_crt_set_version(crt, 3);
if (ret != 0)
fail("gnutls_x509_crt_set_version\n");
ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3);
if (ret != 0)
fail("gnutls_x509_crt_set_serial\n");
ret = gnutls_x509_crt_set_expiration_time(crt, -1);
if (ret != 0)
fail("error\n");
ret = gnutls_x509_crt_set_activation_time(crt, mytime(0));
if (ret != 0)
fail("error\n");
ret = gnutls_x509_crt_set_key(crt, pkey);
if (ret != 0)
fail("gnutls_x509_crt_set_key\n");
ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1);
if (ret < 0) {
fail("error\n");
}
ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE);
if (ret != 0)
fail("gnutls_x509_crt_set_key_usage %d\n", ret);
ret = gnutls_x509_crt_set_dn(crt, "o = none to\\, mention,cn = nikos", &err);
if (ret < 0) {
fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err);
}
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
"foo", 3, 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME,
"*****@*****.**", strlen("*****@*****.**"), 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME,
"ινβάλιντ@bar.org", strlen("ινβάλιντ@bar.org"), 1);
if (ret != GNUTLS_E_INVALID_UTF8_EMAIL)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS,
"\xc1\x5c\x96\x3", 4, 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS,
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
"apa", 3, 0);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
"απαλό.com", strlen("απαλό.com"), 1);
#if defined(HAVE_LIBIDN2) || defined(HAVE_LIBIDN)
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name: %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME,
"test@νίκο.org", strlen("test@νίκο.org"), 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
#else
if (ret != GNUTLS_E_UNIMPLEMENTED_FEATURE)
fail("gnutls_x509_crt_set_subject_alt_name: %s\n", gnutls_strerror(ret));
#endif
s = 0;
ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret);
s = 0;
ret =
gnutls_x509_crt_set_key_purpose_oid(crt,
GNUTLS_KP_TLS_WWW_SERVER,
0);
if (ret != 0)
fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret);
s = 0;
ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret);
s = 0;
ret =
gnutls_x509_crt_set_key_purpose_oid(crt,
GNUTLS_KP_TLS_WWW_CLIENT,
1);
if (ret != 0)
fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret);
/* in the end this will be ignored as the issuer will be set
* by gnutls_x509_crt_sign2() */
ret = gnutls_x509_crt_set_issuer_dn(crt, "cn = my CA, o = big\\, and one", &err);
if (ret < 0) {
fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err);
}
#define ISSUER_UNIQUE_ID "\x00\x01\x02\x03"
#define SUBJECT_UNIQUE_ID "\x04\x03\x02\x01"
ret = gnutls_x509_crt_set_issuer_unique_id(crt, ISSUER_UNIQUE_ID, sizeof(ISSUER_UNIQUE_ID)-1);
if (ret < 0)
fail("error: %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crt_set_subject_unique_id(crt, SUBJECT_UNIQUE_ID, sizeof(SUBJECT_UNIQUE_ID)-1);
if (ret < 0)
fail("error: %s\n", gnutls_strerror(ret));
/* Sign and finalize the certificate */
ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0);
if (ret < 0)
fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out);
if (ret != 0)
fail("gnutls_x509_crt_print\n");
if (debug)
printf("crt: %.*s\n", out.size, out.data);
gnutls_free(out.data);
/* Verify whether selected input is present */
s = 0;
ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret));
s = 0;
ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s);
if (ret != 0)
fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret));
ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret));
if (out.size != 45 ||
memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) {
hexprint(out.data, out.size);
fail("issuer DN comparison failed\n");
}
gnutls_free(out.data);
s = sizeof(buf);
ret = gnutls_x509_crt_get_issuer_unique_id(crt, (void*)buf, &s);
if (ret < 0)
fail("error: %s\n", gnutls_strerror(ret));
if (s != sizeof(ISSUER_UNIQUE_ID)-1 ||
memcmp(buf, ISSUER_UNIQUE_ID, s) != 0) {
fail("issuer unique id comparison failed\n");
}
s = sizeof(buf);
ret = gnutls_x509_crt_get_subject_unique_id(crt, (void*)buf, &s);
if (ret < 0)
fail("error: %s\n", gnutls_strerror(ret));
if (s != sizeof(SUBJECT_UNIQUE_ID)-1 ||
memcmp(buf, SUBJECT_UNIQUE_ID, s) != 0) {
fail("subject unique id comparison failed\n");
}
ret = gnutls_x509_crt_get_raw_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret));
if (out.size != 45 ||
memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) {
fail("DN comparison failed\n");
}
gnutls_free(out.data);
ret = gnutls_x509_crt_equals(crt, crt);
if (ret == 0) {
fail("equality test failed\n");
}
ret = gnutls_x509_crt_equals(crt, crt2);
if (ret != 0) {
fail("equality test failed\n");
}
assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0);
if (debug)
fprintf(stderr, "%s\n", out.data);
#if defined(HAVE_LIBIDN2)
assert(out.size == saved_crt.size);
assert(memcmp(out.data, saved_crt.data, out.size)==0);
#endif
gnutls_free(out.data);
gnutls_x509_crt_deinit(crt);
gnutls_x509_crt_deinit(crt2);
gnutls_x509_privkey_deinit(pkey);
gnutls_global_deinit();
}
void doit(void)
{
int ret;
gnutls_certificate_credentials_t xcred;
gnutls_certificate_credentials_t clicred;
const char *certfile;
const char *ocspfile1;
char certname[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE];
time_t t;
FILE *fp;
global_init();
gnutls_global_set_time_function(mytime);
assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
certfile = get_tmpname(certname);
fp = fopen(certfile, "wb");
if (fp == NULL)
fail("error in fopen\n");
assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0);
assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
fclose(fp);
/* set cert with localhost name */
ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, certfile,
GNUTLS_X509_FMT_PEM, NULL, 0);
if (ret < 0)
fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
fp = fopen(certfile, "wb");
if (fp == NULL)
fail("error in fopen\n");
assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0);
assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
fclose(fp);
gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
/* set OCSP response */
ocspfile1 = get_tmpname(ocspname1);
fp = fopen(ocspfile1, "wb");
if (fp == NULL)
fail("error in fopen\n");
assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0);
fclose(fp);
ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0);
if (ret < 0)
fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 0, 0);
if (t != 1511689427)
fail("error in OCSP validity time: %ld\n", (long int)t);
t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 1, 0);
if (t != -1)
fail("error in OCSP validity time: %ld\n", (long int)t);
t = gnutls_certificate_get_ocsp_expiration(xcred, 0, -1, 0);
if (t != 1511689427)
fail("error in OCSP validity time: %ld\n", (long int)t);
/* make sure that our invalid OCSP responses are not considered in verification
*/
gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS);
if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS)
fail("error in gnutls_certificate_set_verify_flags\n");
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
}
test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */
test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */
gnutls_certificate_free_credentials(xcred);
gnutls_certificate_free_credentials(clicred);
gnutls_global_deinit();
remove(ocspfile1);
remove(certfile);
}
void doit(void)
{
gnutls_x509_privkey_t pkey;
gnutls_x509_crt_t crt;
gnutls_x509_crt_t crt2;
const char *err = NULL;
gnutls_datum_t out;
size_t s = 0;
int ret;
ret = global_init();
if (ret < 0)
fail("global_init\n");
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_x509_crt_init(&crt);
if (ret != 0)
fail("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_init(&crt2);
if (ret != 0)
fail("gnutls_x509_crt_init\n");
ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM);
if (ret != 0)
fail("gnutls_x509_crt_import\n");
ret = gnutls_x509_privkey_init(&pkey);
if (ret != 0)
fail("gnutls_x509_privkey_init\n");
ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM);
if (ret != 0)
fail("gnutls_x509_privkey_import\n");
/* Setup CRT */
ret = gnutls_x509_crt_set_version(crt, 3);
if (ret != 0)
fail("gnutls_x509_crt_set_version\n");
ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3);
if (ret != 0)
fail("gnutls_x509_crt_set_serial\n");
ret = gnutls_x509_crt_set_expiration_time(crt, -1);
if (ret != 0)
fail("error\n");
ret = gnutls_x509_crt_set_activation_time(crt, mytime(0));
if (ret != 0)
fail("error\n");
ret = gnutls_x509_crt_set_key(crt, pkey);
if (ret != 0)
fail("gnutls_x509_crt_set_key\n");
ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1);
if (ret < 0) {
fail("error\n");
}
ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE);
if (ret != 0)
fail("gnutls_x509_crt_set_key_usage %d\n", ret);
ret = gnutls_x509_crt_set_dn(crt, "o = none to\\, mention,cn = nikos", &err);
if (ret < 0) {
fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err);
}
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
"foo", 3, 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME,
"*****@*****.**", strlen("*****@*****.**"), 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME,
"ινβάλιντ@bar.org", strlen("ινβάλιντ@bar.org"), 1);
if (ret != GNUTLS_E_INVALID_UTF8_EMAIL)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS,
"\xc1\x5c\x96\x3", 4, 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS,
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
"apa", 3, 0);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME,
"απαλό.com", strlen("απαλό.com"), 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
#ifdef HAVE_LIBIDN
ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME,
"test@νίκο.org", strlen("test@νίκο.org"), 1);
if (ret != 0)
fail("gnutls_x509_crt_set_subject_alt_name\n");
#endif
s = 0;
ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret);
s = 0;
ret =
gnutls_x509_crt_set_key_purpose_oid(crt,
GNUTLS_KP_TLS_WWW_SERVER,
0);
if (ret != 0)
fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret);
s = 0;
ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret);
s = 0;
ret =
gnutls_x509_crt_set_key_purpose_oid(crt,
GNUTLS_KP_TLS_WWW_CLIENT,
1);
if (ret != 0)
fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret);
ret = gnutls_x509_crt_set_issuer_dn(crt, "cn = my CA, o = big\\, and one", &err);
if (ret < 0) {
fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err);
}
ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0);
if (ret < 0)
fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret));
ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out);
if (ret != 0)
fail("gnutls_x509_crt_print\n");
if (debug)
printf("crt: %.*s\n", out.size, out.data);
gnutls_free(out.data);
s = 0;
ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret));
s = 0;
ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s);
if (ret != 0)
fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret));
ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret));
if (out.size != 45 ||
memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) {
hexprint(out.data, out.size);
fail("issuer DN comparison failed\n");
}
gnutls_free(out.data);
ret = gnutls_x509_crt_get_raw_dn(crt, &out);
if (ret < 0 || out.size == 0)
fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret));
if (out.size != 45 ||
memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) {
fail("DN comparison failed\n");
}
gnutls_free(out.data);
ret = gnutls_x509_crt_equals(crt, crt);
if (ret == 0) {
fail("equality test failed\n");
}
ret = gnutls_x509_crt_equals(crt, crt2);
if (ret != 0) {
fail("equality test failed\n");
}
assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0);
#ifdef HAVE_LIBIDN
assert(out.size == saved_crt.size);
assert(memcmp(out.data, saved_crt.data, out.size)==0);
#endif
gnutls_free(out.data);
gnutls_x509_crt_deinit(crt);
gnutls_x509_crt_deinit(crt2);
gnutls_x509_privkey_deinit(pkey);
gnutls_global_deinit();
}
static void auto_parse(void)
{
gnutls_certificate_credentials_t x509_cred, clicred;
gnutls_pcert_st pcert_list[16];
gnutls_privkey_t key;
gnutls_pcert_st second_pcert[2];
gnutls_privkey_t second_key;
unsigned pcert_list_size;
int ret;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
assert(gnutls_privkey_init(&key)>=0);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
pcert_list_size = sizeof(pcert_list)/sizeof(pcert_list[0]);
ret = gnutls_pcert_list_import_x509_raw(pcert_list, &pcert_list_size,
&server_ca3_localhost_cert_chain, GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("error in gnutls_pcert_list_import_x509_raw: %s\n", gnutls_strerror(ret));
}
ret = gnutls_privkey_import_x509_raw(key, &server_ca3_key, GNUTLS_X509_FMT_PEM, NULL, 0);
if (ret < 0) {
fail("error in key import: %s\n", gnutls_strerror(ret));
}
ret = gnutls_certificate_set_key(x509_cred, NULL, 0, pcert_list,
pcert_list_size, key);
if (ret < 0) {
fail("error in gnutls_certificate_set_key: %s\n", gnutls_strerror(ret));
exit(1);
}
/* set the key with UTF8 names */
assert(gnutls_privkey_init(&second_key)>=0);
pcert_list_size = 2;
ret = gnutls_pcert_list_import_x509_raw(second_pcert, &pcert_list_size,
&server_ca3_localhost_inv_utf8_cert, GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("error in gnutls_pcert_list_import_x509_raw: %s\n", gnutls_strerror(ret));
}
ret = gnutls_privkey_import_x509_raw(second_key, &server_ca3_key, GNUTLS_X509_FMT_PEM, NULL, 0);
if (ret < 0) {
fail("error in key import: %s\n", gnutls_strerror(ret));
}
ret = gnutls_certificate_set_key(x509_cred, NULL, 0, second_pcert,
1, second_key);
if (ret < 0) {
fail("error in gnutls_certificate_set_key: %s\n", gnutls_strerror(ret));
exit(1);
}
test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", 0, 0);
test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκοσ.com");
test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκος.com");
test_cli_serv_vf(x509_cred, clicred, "NORMAL", "raw:www.νίκος.com");
gnutls_certificate_free_credentials(x509_cred);
gnutls_certificate_free_credentials(clicred);
gnutls_global_deinit();
if (debug)
success("success");
}
void doit(void)
{
char buf[128];
int exit_val = 0;
int ret;
unsigned j;
const char *lib, *bin;
gnutls_x509_crt_t issuer = NULL;
gnutls_x509_trust_list_t tl;
gnutls_x509_crt_t certs[MAX_CHAIN];
gnutls_x509_crt_t intermediate;
gnutls_datum_t tmp;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
bin = softhsm_bin();
lib = softhsm_lib();
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pkcs11_set_pin_function(pin_func, NULL);
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
set_softhsm_conf(CONFIG);
snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin);
system(buf);
ret = gnutls_pkcs11_add_provider(lib, "trusted");
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
for (j = 0; ca_list[j]; j++) {
if (debug > 2)
printf("\tAdding certificate %d...",
(int) j);
ret = gnutls_x509_crt_init(&certs[j]);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_init[%d,%d]: %s\n",
(int) 3, (int) j,
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) ca_list[j];
tmp.size = strlen(ca_list[j]);
ret =
gnutls_x509_crt_import(certs[j], &tmp,
GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf("done\n");
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_import[%d]: %s\n",
(int) j,
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(certs[j],
GNUTLS_CRT_PRINT_ONELINE,
&tmp);
if (debug)
printf("\tCertificate %d: %.*s\n", (int) j,
tmp.size, tmp.data);
gnutls_free(tmp.data);
}
if (debug > 2)
printf("\tAdding intermediate certificate...");
ret = gnutls_x509_crt_init(&intermediate);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) intermediate_str;
tmp.size = strlen(intermediate_str);
ret =
gnutls_x509_crt_import(intermediate, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (debug > 2)
printf("done\n");
gnutls_x509_crt_print(intermediate, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tIntermediate Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
if (debug)
printf("\tVerifying...");
/* initialize softhsm token */
ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
if (ret < 0) {
fail("gnutls_pkcs11_token_init\n");
exit(1);
}
/* write CA certificate to softhsm */
for (j = 0; ca_list[j]; j++) {
char name[64];
snprintf(name, sizeof(name), "test-ca%d", j);
ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO);
if (ret < 0) {
fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
exit(1);
}
}
/* try to extract an issuer when using an object URL
*/
gnutls_x509_trust_list_init(&tl, 0);
ret = gnutls_x509_trust_list_add_trust_file(tl, OBJ_URL, NULL, 0, 0, 0);
if (ret != 1) {
fail("gnutls_x509_trust_list_add_trust_file (with expl. object 0): %d\n", ret);
exit(1);
}
/* extract the issuer of the certificate */
ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0) {
fail("gnutls_x509_trust_list_get_issuer (with expl. object) should have succeeded\n");
exit(1);
}
gnutls_x509_crt_deinit(issuer);
gnutls_x509_trust_list_deinit(tl, 0);
/* Try to extract issuers using PKCS #11 token URL
*/
gnutls_x509_trust_list_init(&tl, 0);
ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_trust_file\n");
exit(1);
}
/* extract the issuer of the certificate */
ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0) {
fail("gnutls_x509_trust_list_get_issuer should have succeeded\n");
exit(1);
}
gnutls_x509_crt_deinit(issuer);
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[2], GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret == 0) {
fail("error in gnutls_pkcs11_crt_is_known - 0\n");
exit(1);
}
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[0], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret == 0) {
fail("error in gnutls_pkcs11_crt_is_known - 0\n");
exit(1);
}
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[1], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret == 0) {
fail("error in gnutls_pkcs11_crt_is_known - 0\n");
exit(1);
}
gnutls_x509_trust_list_deinit(tl, 0);
/* deinit */
if (debug)
printf("\tCleanup...");
gnutls_x509_crt_deinit(intermediate);
for (j = 0; ca_list[j]; j++) {
gnutls_x509_crt_deinit(certs[j]);
}
if (debug)
printf("done\n\n\n");
gnutls_global_deinit();
if (debug)
printf("Exit status...%d\n", exit_val);
remove(CONFIG);
exit(exit_val);
}
static void client(int fd)
{
int ret;
unsigned int status;
gnutls_certificate_credentials_t x509_cred;
gnutls_session_t session;
/* Need to enable anonymous KX specifically. */
gnutls_global_set_time_function(mytime);
global_init();
if (debug) {
gnutls_global_set_log_function(client_log_func);
gnutls_global_set_log_level(7);
}
gnutls_certificate_allocate_credentials(&x509_cred);
/* Initialize TLS session
*/
gnutls_init(&session, GNUTLS_CLIENT);
/* Use default priorities */
gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL);
gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CERTIFICATE_STATUS,
GNUTLS_HOOK_POST,
handshake_callback);
/* put the anonymous credentials to the current session
*/
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_transport_set_int(session, fd);
/* Perform the TLS handshake
*/
do {
ret = gnutls_handshake(session);
}
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM) {
/* success */
goto end;
}
if (ret < 0) {
fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
terminate();
} else {
if (debug)
success("client: Handshake was completed\n");
}
if (debug)
success("client: TLS version is: %s\n",
gnutls_protocol_get_name
(gnutls_protocol_get_version(session)));
if (received == 1) {
fail("client: received certificate status when we shouldn't.\n");
terminate();
}
ret = gnutls_certificate_verify_peers2(session, &status);
if (ret != GNUTLS_E_SUCCESS) {
fail("client: Peer certificate validation failed: %s\n", gnutls_strerror(ret));
terminate();
}
else {
if (status & GNUTLS_CERT_MISSING_OCSP_STATUS) {
success("client: Validation failed with GNUTLS_CERT_MISSING_OCSP_STATUS\n");
}
else {
fail("client: Validation status does not include GNUTLS_CERT_MISSING_OCSP_STATUS. Status is %d\n", status);
terminate();
}
}
gnutls_bye(session, GNUTLS_SHUT_WR);
end:
close(fd);
gnutls_deinit(session);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
}