void doit(void)
{
gnutls_certificate_credentials_t serv_cred;
gnutls_certificate_credentials_t cli_cred;
int ret;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&cli_cred) >= 0);
ret = gnutls_certificate_set_x509_trust_mem(cli_cred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_key_mem(cli_cred, &clidsa_ca3_cert,
&clidsa_ca3_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in error code: %s\n", gnutls_strerror(ret));
exit(1);
}
/* test gnutls_certificate_flags() */
gnutls_certificate_allocate_credentials(&serv_cred);
gnutls_certificate_set_flags(serv_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH);
ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
ret = gnutls_certificate_set_x509_key_mem(serv_cred, &server_ca3_localhost_cert_chain,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in error code\n");
exit(1);
}
test_cli_serv_cert(serv_cred, cli_cred, "NORMAL:+DHE-DSS:+SIGN-DSA-SHA1", "NORMAL:-DHE-DSS:-SIGN-DSA-SHA1", "localhost");
gnutls_certificate_free_credentials(serv_cred);
gnutls_certificate_free_credentials(cli_cred);
gnutls_global_deinit();
if (debug)
success("success");
}
void doit(void)
{
gnutls_certificate_credentials_t x509_cred;
gnutls_certificate_credentials_t clicred;
int ret;
unsigned idx;
#if !defined(HAVE_LIBIDN2)
exit(77);
#endif
/* this must be called once in the program
*/
global_init();
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
gnutls_certificate_set_flags(x509_cred, GNUTLS_CERTIFICATE_API_V2);
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
idx = import_key(x509_cred, &server_ca3_key, &server_ca3_localhost_cert_chain);
assert(idx == 0);
idx = import_key(x509_cred, &server_ca3_key, &server_ca3_localhost_utf8_cert);
assert(idx == 1);
test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL);
test_cli_serv(x509_cred, clicred, "NORMAL", "www.xn--kxawhku.com", NULL, NULL, NULL); /* the previous name in IDNA format */
test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */
test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */
test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_DISALLOWED_NAME, GNUTLS_E_AGAIN);
gnutls_certificate_free_credentials(x509_cred);
gnutls_certificate_free_credentials(clicred);
gnutls_global_deinit();
if (debug)
success("success");
}
void doit(void)
{
int ret;
gnutls_certificate_credentials_t xcred;
gnutls_certificate_credentials_t clicred;
const char *certfile;
const char *ocspfile1;
char certname[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE];
time_t t;
FILE *fp;
global_init();
gnutls_global_set_time_function(mytime);
assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
certfile = get_tmpname(certname);
fp = fopen(certfile, "wb");
if (fp == NULL)
fail("error in fopen\n");
assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0);
assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
fclose(fp);
/* set cert with localhost name */
ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, certfile,
GNUTLS_X509_FMT_PEM, NULL, 0);
if (ret < 0)
fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
fp = fopen(certfile, "wb");
if (fp == NULL)
fail("error in fopen\n");
assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0);
assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
fclose(fp);
gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
/* set OCSP response */
ocspfile1 = get_tmpname(ocspname1);
fp = fopen(ocspfile1, "wb");
if (fp == NULL)
fail("error in fopen\n");
assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0);
fclose(fp);
ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0);
if (ret < 0)
fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 0, 0);
if (t != 1511689427)
fail("error in OCSP validity time: %ld\n", (long int)t);
t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 1, 0);
if (t != -1)
fail("error in OCSP validity time: %ld\n", (long int)t);
t = gnutls_certificate_get_ocsp_expiration(xcred, 0, -1, 0);
if (t != 1511689427)
fail("error in OCSP validity time: %ld\n", (long int)t);
/* make sure that our invalid OCSP responses are not considered in verification
*/
gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS);
if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS)
fail("error in gnutls_certificate_set_verify_flags\n");
ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
}
test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */
test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */
gnutls_certificate_free_credentials(xcred);
gnutls_certificate_free_credentials(clicred);
gnutls_global_deinit();
remove(ocspfile1);
remove(certfile);
}
