void doit (void) { gnutls_datum_t der = { pem, sizeof (pem) }; gnutls_x509_crt_t cert; gnutls_datum_t out; int ret; ret = gnutls_global_init (); if (ret < 0) fail ("init %d\n", ret); ret = gnutls_x509_crt_init (&cert); if (ret < 0) fail ("crt_init %d\n", ret); ret = gnutls_x509_crt_import (cert, &der, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("crt_import %d\n", ret); ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) fail ("x509_crt_print %d\n", ret); if (out.size != strlen (info) || strcmp (out.data, info) != 0) fail ("comparison fail (%d/%d)\nexpect: %s\n got: %.*s\n", out.size, (int) strlen (info), info, out.size, out.data); gnutls_x509_crt_deinit (cert); gnutls_global_deinit (); gnutls_free (out.data); if (debug) success ("done\n"); }
static void print_x509_info_compact(gnutls_session_t session) { gnutls_x509_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; gnutls_datum_t cinfo; cert_list = gnutls_certificate_get_peers(session, &cert_list_size); if (cert_list_size == 0) { fprintf(stderr, "No certificates found!\n"); return; } gnutls_x509_crt_init(&crt); ret = gnutls_x509_crt_import(crt, &cert_list[0], GNUTLS_X509_FMT_DER); if (ret < 0) { fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); return; } ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo); if (ret == 0) { printf("- X.509 cert: %s\n", cinfo.data); gnutls_free(cinfo.data); } gnutls_x509_crt_deinit(crt); }
void show_certs(struct tab *t, gnutls_x509_crt_t *certs, size_t cert_count, char *title) { gnutls_datum_t cinfo; char *tmp, *body; int i; body = g_strdup(""); for (i = 0; i < cert_count; i++) { if (gnutls_x509_crt_print(certs[i], GNUTLS_CRT_PRINT_FULL, &cinfo)) return; tmp = body; body = g_strdup_printf("%s<h2>Cert #%d</h2><pre>%s</pre>", body, i, cinfo.data); gnutls_free(cinfo.data); g_free(tmp); } tmp = get_html_page(title, body, "", 0); g_free(body); load_webkit_string(t, tmp, XT_URI_ABOUT_CERTS); g_free(tmp); }
int crypto_cert_print_fp(FILE * fp, CryptoCert cert) { gnutls_datum_t out; int x = gnutls_x509_crt_print(cert->cert, GNUTLS_CRT_PRINT_FULL, &out); ASSERT(!x); fwrite(out.data, 1, out.size, fp); gnutls_free(out.data); return True; }
static size_t wrfu(void *ptr, size_t size, size_t nmemb, void *stream) { const struct curl_tlssessioninfo *info; unsigned int cert_list_size; const gnutls_datum_t *chainp; CURLcode res; (void)stream; (void)ptr; res = curl_easy_getinfo(curl, CURLINFO_TLS_SESSION, &info); if(!res) { switch(info->backend) { case CURLSSLBACKEND_GNUTLS: /* info->internals is now the gnutls_session_t */ chainp = gnutls_certificate_get_peers(info->internals, &cert_list_size); if((chainp) && (cert_list_size)) { unsigned int i; for(i = 0; i < cert_list_size; i++) { gnutls_x509_crt_t cert; gnutls_datum_t dn; if(GNUTLS_E_SUCCESS == gnutls_x509_crt_init(&cert)) { if(GNUTLS_E_SUCCESS == gnutls_x509_crt_import(cert, &chainp[i], GNUTLS_X509_FMT_DER)) { if(GNUTLS_E_SUCCESS == gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_FULL, &dn)) { fprintf(stderr, "Certificate #%d: %.*s", i, dn.size, dn.data); gnutls_free(dn.data); } } gnutls_x509_crt_deinit(cert); } } } break; case CURLSSLBACKEND_NONE: default: break; } } return size * nmemb; }
void doit(void) { int ret, exp_ret; gnutls_x509_crt_t cert; gnutls_datum_t der; DIR *dirp = NULL; ret = global_init(); if (ret < 0) fail("init %d\n", ret); while (getnextcert(&dirp, &der, &exp_ret)==0) { ret = gnutls_x509_crt_init(&cert); if (ret < 0) fail("crt_init %d\n", ret); ret = gnutls_x509_crt_import(cert, &der, GNUTLS_X509_FMT_DER); if (ret != exp_ret) { fail("crt_import %s\n", gnutls_strerror(ret)); } if (ret == 0) { /* attempt to fully decode */ gnutls_datum_t out; ret = gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_FULL, &out); if (ret < 0) { fail("print: %s\n", gnutls_strerror(ret)); } gnutls_free(out.data); } gnutls_x509_crt_deinit(cert); gnutls_free(der.data); der.data = NULL; der.size = 0; exp_ret = -1; } gnutls_global_deinit(); }
static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, gnutls_x509_crt_t signer) { gnutls_ocsp_resp_t resp; int ret; size_t size; gnutls_x509_crt_t *x509_ca_list = NULL; gnutls_x509_trust_list_t list; unsigned int x509_ncas = 0; unsigned verify; gnutls_datum_t dat; ret = gnutls_ocsp_resp_init(&resp); if (ret < 0) { fprintf(stderr, "ocsp_resp_init: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_ocsp_resp_import(resp, data); if (ret < 0) { fprintf(stderr, "importing response: %s\n", gnutls_strerror(ret)); exit(1); } if (nonce) { gnutls_datum_t rnonce; ret = gnutls_ocsp_resp_get_nonce(resp, NULL, &rnonce); if (ret < 0) { fprintf(stderr, "could not read response's nonce: %s\n", gnutls_strerror(ret)); exit(1); } if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data, nonce->size) != 0) { fprintf(stderr, "nonce in the response doesn't match\n"); exit(1); } gnutls_free(rnonce.data); } if (HAVE_OPT(LOAD_TRUST)) { dat.data = (void *) read_binary_file(OPT_ARG(LOAD_TRUST), &size); if (dat.data == NULL) { fprintf(stderr, "reading --load-trust: %s\n", OPT_ARG(LOAD_TRUST)); exit(1); } dat.size = size; ret = gnutls_x509_trust_list_init(&list, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_trust_list_init: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas, &dat, GNUTLS_X509_FMT_PEM, 0); if (ret < 0 || x509_ncas < 1) { fprintf(stderr, "error parsing CAs: %s\n", gnutls_strerror(ret)); exit(1); } if (HAVE_OPT(VERBOSE)) { unsigned int i; printf("Trust anchors:\n"); for (i = 0; i < x509_ncas; i++) { gnutls_datum_t out; ret = gnutls_x509_crt_print(x509_ca_list[i], GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_print: %s\n", gnutls_strerror(ret)); exit(1); } printf("%d: %.*s\n", i, out.size, out.data); gnutls_free(out.data); } printf("\n"); } ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_trust_add_cas: %s\n", gnutls_strerror(ret)); exit(1); } if (HAVE_OPT(VERBOSE)) fprintf(stdout, "Loaded %d trust anchors\n", x509_ncas); ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); if (ret < 0) { fprintf(stderr, "gnutls_ocsp_resp_verify: %s\n", gnutls_strerror(ret)); exit(1); } } else if (signer) { if (HAVE_OPT(VERBOSE)) { gnutls_datum_t out; ret = gnutls_x509_crt_print(signer, GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_print: %s\n", gnutls_strerror(ret)); exit(1); } printf("Signer: %.*s\n", out.size, out.data); gnutls_free(out.data); printf("\n"); } ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, 0); if (ret < 0) { fprintf(stderr, "gnutls_ocsp_resp_verify_direct: %s\n", gnutls_strerror(ret)); exit(1); } } else { fprintf(stderr, "missing --load-trust or --load-signer\n"); exit(1); } printf("Verifying OCSP Response: "); print_ocsp_verify_res(verify); printf(".\n"); gnutls_ocsp_resp_deinit(resp); return verify; }
void doit(void) { gnutls_x509_privkey_t pkey; gnutls_x509_crt_t crt; gnutls_x509_crt_t crt2; const char *err = NULL; unsigned char buf[64]; gnutls_datum_t out; size_t s = 0; int ret; ret = global_init(); if (ret < 0) fail("global_init\n"); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); ret = gnutls_x509_crt_init(&crt); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_init(&crt2); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_crt_import\n"); ret = gnutls_x509_privkey_init(&pkey); if (ret != 0) fail("gnutls_x509_privkey_init\n"); ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_privkey_import\n"); /* Setup CRT */ ret = gnutls_x509_crt_set_version(crt, 3); if (ret != 0) fail("gnutls_x509_crt_set_version\n"); ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3); if (ret != 0) fail("gnutls_x509_crt_set_serial\n"); ret = gnutls_x509_crt_set_expiration_time(crt, -1); if (ret != 0) fail("error\n"); ret = gnutls_x509_crt_set_activation_time(crt, mytime(0)); if (ret != 0) fail("error\n"); ret = gnutls_x509_crt_set_key(crt, pkey); if (ret != 0) fail("gnutls_x509_crt_set_key\n"); ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1); if (ret < 0) { fail("error\n"); } ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE); if (ret != 0) fail("gnutls_x509_crt_set_key_usage %d\n", ret); ret = gnutls_x509_crt_set_dn(crt, "o = none to\\, mention,cn = nikos", &err); if (ret < 0) { fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err); } ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "*****@*****.**", strlen("*****@*****.**"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "ινβάλιντ@bar.org", strlen("ινβάλιντ@bar.org"), 1); if (ret != GNUTLS_E_INVALID_UTF8_EMAIL) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, "\xc1\x5c\x96\x3", 4, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "apa", 3, 0); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "απαλό.com", strlen("απαλό.com"), 1); #if defined(HAVE_LIBIDN2) || defined(HAVE_LIBIDN) if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "test@νίκο.org", strlen("test@νίκο.org"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); #else if (ret != GNUTLS_E_UNIMPLEMENTED_FEATURE) fail("gnutls_x509_crt_set_subject_alt_name: %s\n", gnutls_strerror(ret)); #endif s = 0; ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0); if (ret != 0) fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_CLIENT, 1); if (ret != 0) fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret); /* in the end this will be ignored as the issuer will be set * by gnutls_x509_crt_sign2() */ ret = gnutls_x509_crt_set_issuer_dn(crt, "cn = my CA, o = big\\, and one", &err); if (ret < 0) { fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err); } #define ISSUER_UNIQUE_ID "\x00\x01\x02\x03" #define SUBJECT_UNIQUE_ID "\x04\x03\x02\x01" ret = gnutls_x509_crt_set_issuer_unique_id(crt, ISSUER_UNIQUE_ID, sizeof(ISSUER_UNIQUE_ID)-1); if (ret < 0) fail("error: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_set_subject_unique_id(crt, SUBJECT_UNIQUE_ID, sizeof(SUBJECT_UNIQUE_ID)-1); if (ret < 0) fail("error: %s\n", gnutls_strerror(ret)); /* Sign and finalize the certificate */ ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0); if (ret < 0) fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail("gnutls_x509_crt_print\n"); if (debug) printf("crt: %.*s\n", out.size, out.data); gnutls_free(out.data); /* Verify whether selected input is present */ s = 0; ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret)); s = 0; ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s); if (ret != 0) fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret)); ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { hexprint(out.data, out.size); fail("issuer DN comparison failed\n"); } gnutls_free(out.data); s = sizeof(buf); ret = gnutls_x509_crt_get_issuer_unique_id(crt, (void*)buf, &s); if (ret < 0) fail("error: %s\n", gnutls_strerror(ret)); if (s != sizeof(ISSUER_UNIQUE_ID)-1 || memcmp(buf, ISSUER_UNIQUE_ID, s) != 0) { fail("issuer unique id comparison failed\n"); } s = sizeof(buf); ret = gnutls_x509_crt_get_subject_unique_id(crt, (void*)buf, &s); if (ret < 0) fail("error: %s\n", gnutls_strerror(ret)); if (s != sizeof(SUBJECT_UNIQUE_ID)-1 || memcmp(buf, SUBJECT_UNIQUE_ID, s) != 0) { fail("subject unique id comparison failed\n"); } ret = gnutls_x509_crt_get_raw_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { fail("DN comparison failed\n"); } gnutls_free(out.data); ret = gnutls_x509_crt_equals(crt, crt); if (ret == 0) { fail("equality test failed\n"); } ret = gnutls_x509_crt_equals(crt, crt2); if (ret != 0) { fail("equality test failed\n"); } assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0); if (debug) fprintf(stderr, "%s\n", out.data); #if defined(HAVE_LIBIDN2) assert(out.size == saved_crt.size); assert(memcmp(out.data, saved_crt.data, out.size)==0); #endif gnutls_free(out.data); gnutls_x509_crt_deinit(crt); gnutls_x509_crt_deinit(crt2); gnutls_x509_privkey_deinit(pkey); gnutls_global_deinit(); }
void doit (void) { gnutls_x509_privkey_t pkey; gnutls_x509_crt_t crt; gnutls_x509_crq_t crq; gnutls_datum_t out; size_t s = 0; char smallbuf[10]; int ret; ret = gnutls_global_init (); if (ret < 0) fail ("gnutls_global_init\n"); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); ret = gnutls_x509_crq_init (&crq); if (ret != 0) fail ("gnutls_x509_crq_init\n"); ret = gnutls_x509_privkey_init (&pkey); if (ret != 0) fail ("gnutls_x509_privkey_init\n"); ret = gnutls_x509_crt_init (&crt); if (ret != 0) fail ("gnutls_x509_crt_init\n"); ret = gnutls_x509_privkey_import (pkey, &key, GNUTLS_X509_FMT_PEM); if (ret != 0) fail ("gnutls_x509_privkey_import\n"); ret = gnutls_x509_crq_set_version (crq, 0); if (ret != 0) fail ("gnutls_x509_crq_set_version\n"); ret = gnutls_x509_crq_set_key (crq, pkey); if (ret != 0) fail ("gnutls_x509_crq_set_key\n"); s = 0; ret = gnutls_x509_crq_get_extension_info (crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail ("gnutls_x509_crq_get_extension_info\n"); ret = gnutls_x509_crq_set_basic_constraints (crq, 0, 0); if (ret != 0) fail ("gnutls_x509_crq_set_basic_constraints %d\n", ret); ret = gnutls_x509_crq_set_key_usage (crq, 0); if (ret != 0) fail ("gnutls_x509_crq_set_key_usage %d\n", ret); ret = gnutls_x509_crq_get_challenge_password (crq, NULL, &s); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail ("gnutls_x509_crq_get_challenge_password %d\n", ret); ret = gnutls_x509_crq_set_challenge_password (crq, "foo"); if (ret != 0) fail ("gnutls_x509_crq_set_challenge_password %d\n", ret); s = 0; ret = gnutls_x509_crq_get_challenge_password (crq, NULL, &s); if (ret != 0 || s != 3) fail ("gnutls_x509_crq_get_challenge_password2 %d/%d\n", ret, (int) s); s = 10; ret = gnutls_x509_crq_get_challenge_password (crq, smallbuf, &s); if (ret != 0 || s != 3 || strcmp (smallbuf, "foo") != 0) fail ("gnutls_x509_crq_get_challenge_password3 %d/%d/%s\n", ret, (int) s, smallbuf); s = 0; ret = gnutls_x509_crq_get_extension_info (crq, 0, NULL, &s, NULL); if (ret != 0) fail ("gnutls_x509_crq_get_extension_info2\n"); s = 0; ret = gnutls_x509_crq_get_extension_data (crq, 0, NULL, &s); if (ret != 0) fail ("gnutls_x509_crq_get_extension_data\n"); ret = gnutls_x509_crq_set_subject_alt_name (crq, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail ("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name (crq, GNUTLS_SAN_DNSNAME, "bar", 3, 1); if (ret != 0) fail ("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name (crq, GNUTLS_SAN_DNSNAME, "apa", 3, 0); if (ret != 0) fail ("gnutls_x509_crq_set_subject_alt_name\n"); ret = gnutls_x509_crq_set_subject_alt_name (crq, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail ("gnutls_x509_crq_set_subject_alt_name\n"); s = 0; ret = gnutls_x509_crq_get_key_purpose_oid (crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail ("gnutls_x509_crq_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_set_key_purpose_oid (crq, GNUTLS_KP_TLS_WWW_SERVER, 0); if (ret != 0) fail ("gnutls_x509_crq_set_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_get_key_purpose_oid (crq, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail ("gnutls_x509_crq_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crq_set_key_purpose_oid (crq, GNUTLS_KP_TLS_WWW_CLIENT, 1); if (ret != 0) fail ("gnutls_x509_crq_set_key_purpose_oid2 %d\n", ret); ret = gnutls_x509_crq_print (crq, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail ("gnutls_x509_crq_print\n"); if (debug) printf ("crq: %.*s\n", out.size, out.data); gnutls_free (out.data); ret = gnutls_x509_crt_set_version (crt, 3); if (ret != 0) fail ("gnutls_x509_crt_set_version\n"); ret = gnutls_x509_crt_set_crq_extensions (crt, crq); if (ret != 0) fail ("gnutls_x509_crt_set_crq_extensions\n"); ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail ("gnutls_x509_crt_print\n"); if (debug) printf ("crt: %.*s\n", out.size, out.data); gnutls_free (out.data); gnutls_x509_crq_deinit (crq); gnutls_x509_crt_deinit (crt); gnutls_x509_privkey_deinit (pkey); gnutls_global_deinit (); }
static void print_x509_info (gnutls_session_t session, const char *hostname, int insecure) { gnutls_x509_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0, j; int hostname_ok = 0; int ret; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size == 0) { fprintf (stderr, "No certificates found!\n"); return; } printf (" - Got a certificate list of %d certificates.\n", cert_list_size); for (j = 0; j < cert_list_size; j++) { gnutls_datum_t cinfo; gnutls_x509_crt_init (&crt); ret = gnutls_x509_crt_import (crt, &cert_list[j], GNUTLS_X509_FMT_DER); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return; } printf (" - Certificate[%d] info:\n - ", j); if (verbose) ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo); else ret = gnutls_x509_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, &cinfo); if (ret == 0) { printf ("%s\n", cinfo.data); gnutls_free (cinfo.data); } if (print_cert) { size_t size = 0; char *p = NULL; ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, p, &size); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { p = malloc (size); if (!p) { fprintf (stderr, "gnutls_malloc\n"); exit (1); } ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, p, &size); } if (ret < 0) { fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret)); return; } fputs ("\n", stdout); fputs (p, stdout); fputs ("\n", stdout); gnutls_free (p); } if (j == 0 && hostname != NULL) { /* Check the hostname of the first certificate if it matches * the name of the host we connected to. */ if (gnutls_x509_crt_check_hostname (crt, hostname) == 0) hostname_ok = 1; else hostname_ok = 2; } gnutls_x509_crt_deinit (crt); } if (hostname_ok == 1) { printf ("- The hostname in the certificate does NOT match '%s'\n", hostname); if (!insecure) exit (1); } else if (hostname_ok == 2) { printf ("- The hostname in the certificate matches '%s'.\n", hostname); } }
void doit(void) { char buf[128]; int exit_val = 0; int ret; unsigned j; const char *lib, *bin; gnutls_x509_crt_t issuer = NULL; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t certs[MAX_CHAIN]; gnutls_x509_crt_t intermediate; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, "trusted"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } for (j = 0; ca_list[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init(&certs[j]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init[%d,%d]: %s\n", (int) 3, (int) j, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) ca_list[j]; tmp.size = strlen(ca_list[j]); ret = gnutls_x509_crt_import(certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import[%d]: %s\n", (int) j, gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free(tmp.data); } if (debug > 2) printf("\tAdding intermediate certificate..."); ret = gnutls_x509_crt_init(&intermediate); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) intermediate_str; tmp.size = strlen(intermediate_str); ret = gnutls_x509_crt_import(intermediate, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } if (debug > 2) printf("done\n"); gnutls_x509_crt_print(intermediate, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tIntermediate Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug) printf("\tVerifying..."); /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init\n"); exit(1); } /* write CA certificate to softhsm */ for (j = 0; ca_list[j]; j++) { char name[64]; snprintf(name, sizeof(name), "test-ca%d", j); ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); exit(1); } } /* try to extract an issuer when using an object URL */ gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, OBJ_URL, NULL, 0, 0, 0); if (ret != 1) { fail("gnutls_x509_trust_list_add_trust_file (with expl. object 0): %d\n", ret); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer (with expl. object) should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); gnutls_x509_trust_list_deinit(tl, 0); /* Try to extract issuers using PKCS #11 token URL */ gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_trust_file\n"); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[2], GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[0], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[1], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } gnutls_x509_trust_list_deinit(tl, 0); /* deinit */ if (debug) printf("\tCleanup..."); gnutls_x509_crt_deinit(intermediate); for (j = 0; ca_list[j]; j++) { gnutls_x509_crt_deinit(certs[j]); } if (debug) printf("done\n\n\n"); gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); remove(CONFIG); exit(exit_val); }
void doit(void) { gnutls_x509_privkey_t pkey; gnutls_x509_crt_t crt; gnutls_x509_crt_t crt2; const char *err = NULL; gnutls_datum_t out; size_t s = 0; int ret; ret = global_init(); if (ret < 0) fail("global_init\n"); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); ret = gnutls_x509_crt_init(&crt); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_init(&crt2); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_import(crt2, &server_ecc_cert, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_crt_import\n"); ret = gnutls_x509_privkey_init(&pkey); if (ret != 0) fail("gnutls_x509_privkey_init\n"); ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM); if (ret != 0) fail("gnutls_x509_privkey_import\n"); /* Setup CRT */ ret = gnutls_x509_crt_set_version(crt, 3); if (ret != 0) fail("gnutls_x509_crt_set_version\n"); ret = gnutls_x509_crt_set_serial(crt, "\x0a\x11\x00", 3); if (ret != 0) fail("gnutls_x509_crt_set_serial\n"); ret = gnutls_x509_crt_set_expiration_time(crt, -1); if (ret != 0) fail("error\n"); ret = gnutls_x509_crt_set_activation_time(crt, mytime(0)); if (ret != 0) fail("error\n"); ret = gnutls_x509_crt_set_key(crt, pkey); if (ret != 0) fail("gnutls_x509_crt_set_key\n"); ret = gnutls_x509_crt_set_basic_constraints(crt, 0, -1); if (ret < 0) { fail("error\n"); } ret = gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE); if (ret != 0) fail("gnutls_x509_crt_set_key_usage %d\n", ret); ret = gnutls_x509_crt_set_dn(crt, "o = none to\\, mention,cn = nikos", &err); if (ret < 0) { fail("gnutls_x509_crt_set_dn: %s, %s\n", gnutls_strerror(ret), err); } ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "foo", 3, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "*****@*****.**", strlen("*****@*****.**"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "ινβάλιντ@bar.org", strlen("ινβάλιντ@bar.org"), 1); if (ret != GNUTLS_E_INVALID_UTF8_EMAIL) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, "\xc1\x5c\x96\x3", 4, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_IPADDRESS, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01", 16, 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "apa", 3, 0); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "απαλό.com", strlen("απαλό.com"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); #ifdef HAVE_LIBIDN ret = gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_RFC822NAME, "test@νίκο.org", strlen("test@νίκο.org"), 1); if (ret != 0) fail("gnutls_x509_crt_set_subject_alt_name\n"); #endif s = 0; ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0); if (ret != 0) fail("gnutls_x509_crt_set_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_get_key_purpose_oid(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crt_get_key_purpose_oid %d\n", ret); s = 0; ret = gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_CLIENT, 1); if (ret != 0) fail("gnutls_x509_crt_set_key_purpose_oid2 %d\n", ret); ret = gnutls_x509_crt_set_issuer_dn(crt, "cn = my CA, o = big\\, and one", &err); if (ret < 0) { fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err); } ret = gnutls_x509_crt_sign2(crt, crt, pkey, GNUTLS_DIG_SHA256, 0); if (ret < 0) fail("gnutls_x509_crt_sign2: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail("gnutls_x509_crt_print\n"); if (debug) printf("crt: %.*s\n", out.size, out.data); gnutls_free(out.data); s = 0; ret = gnutls_x509_crt_get_extension_info(crt, 0, NULL, &s, NULL); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) fail("gnutls_x509_crt_get_extension_info2: %s\n", strerror(ret)); s = 0; ret = gnutls_x509_crt_get_extension_data(crt, 0, NULL, &s); if (ret != 0) fail("gnutls_x509_crt_get_extension_data: %s\n", strerror(ret)); ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { hexprint(out.data, out.size); fail("issuer DN comparison failed\n"); } gnutls_free(out.data); ret = gnutls_x509_crt_get_raw_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { fail("DN comparison failed\n"); } gnutls_free(out.data); ret = gnutls_x509_crt_equals(crt, crt); if (ret == 0) { fail("equality test failed\n"); } ret = gnutls_x509_crt_equals(crt, crt2); if (ret != 0) { fail("equality test failed\n"); } assert(gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_PEM, &out) >= 0); #ifdef HAVE_LIBIDN assert(out.size == saved_crt.size); assert(memcmp(out.data, saved_crt.data, out.size)==0); #endif gnutls_free(out.data); gnutls_x509_crt_deinit(crt); gnutls_x509_crt_deinit(crt2); gnutls_x509_privkey_deinit(pkey); gnutls_global_deinit(); }
/* This function will print information about this session's peer * certificate. */ void print_x509_certificate_info (gnutls_session_t session) { char serial[40]; char dn[256]; size_t size; unsigned int algo, bits; time_t expiration_time, activation_time; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; gnutls_x509_crt_t cert; gnutls_datum_t cinfo; /* This function only works for X.509 certificates. */ if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) return; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); printf ("Peer provided %d certificates.\n", cert_list_size); if (cert_list_size > 0) { int ret; /* we only print information about the first certificate. */ gnutls_x509_crt_init (&cert); gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER); printf ("Certificate info:\n"); /* This is the preferred way of printing short information about a certificate. */ ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo); if (ret == 0) { printf ("\t%s\n", cinfo.data); gnutls_free (cinfo.data); } /* If you want to extract fields manually for some other reason, below are popular example calls. */ expiration_time = gnutls_x509_crt_get_expiration_time (cert); activation_time = gnutls_x509_crt_get_activation_time (cert); printf ("\tCertificate is valid since: %s", ctime (&activation_time)); printf ("\tCertificate expires: %s", ctime (&expiration_time)); /* Print the serial number of the certificate. */ size = sizeof (serial); gnutls_x509_crt_get_serial (cert, serial, &size); printf ("\tCertificate serial number: %s\n", bin2hex (serial, size)); /* Extract some of the public key algorithm's parameters */ algo = gnutls_x509_crt_get_pk_algorithm (cert, &bits); printf ("Certificate public key: %s", gnutls_pk_algorithm_get_name (algo)); /* Print the version of the X.509 * certificate. */ printf ("\tCertificate version: #%d\n", gnutls_x509_crt_get_version (cert)); size = sizeof (dn); gnutls_x509_crt_get_dn (cert, dn, &size); printf ("\tDN: %s\n", dn); size = sizeof (dn); gnutls_x509_crt_get_issuer_dn (cert, dn, &size); printf ("\tIssuer's DN: %s\n", dn); gnutls_x509_crt_deinit (cert); } }
EAPI void eet_identity_print(Eet_Key *key, FILE *out) { #ifdef HAVE_SIGNATURE # ifdef HAVE_GNUTLS const char *names[6] = { "Modulus", "Public exponent", "Private exponent", "First prime", "Second prime", "Coefficient" }; int err = 0; gnutls_datum_t data = { NULL, 0 }; gnutls_datum_t rsa_raw[6]; size_t size = 128; char *res = NULL; char buf[33]; unsigned int i, j; if (!key) return; if (!emile_cipher_init()) return ; if (key->private_key) { if (gnutls_x509_privkey_export_rsa_raw(key->private_key, rsa_raw + 0, /* Modulus */ rsa_raw + 1, /* Public exponent */ rsa_raw + 2, /* Private exponent */ rsa_raw + 3, /* First prime */ rsa_raw + 4, /* Second prime */ rsa_raw + 5)) /* Coefficient */ goto on_error; if (!(res = malloc(size))) goto on_error; fprintf(out, "Private Key:\n"); buf[32] = '\0'; for (i = 0; i < 6; i++) { while ((err = gnutls_hex_encode(rsa_raw + i, res, &size)) == GNUTLS_E_SHORT_MEMORY_BUFFER) { char *temp; size += 128; if (!(temp = realloc(res, size))) goto on_error; res = temp; } if (err) goto on_error; fprintf(out, "\t%s:\n", names[i]); for (j = 0; strlen(res) > j; j += 32) { snprintf(buf, 32, "%s", res + j); fprintf(out, "\t\t%s\n", buf); } } free(res); res = NULL; } if (key->certificate) { fprintf(out, "Public certificate:\n"); if (gnutls_x509_crt_print(key->certificate, GNUTLS_X509_CRT_FULL, &data)) goto on_error; fprintf(out, "%s\n", data.data); gnutls_free(data.data); data.data = NULL; } on_error: if (res) free(res); if (data.data) gnutls_free(data.data); return; # else /* ifdef HAVE_GNUTLS */ RSA *rsa; DSA *dsa; DH *dh; if (!key) return; if (!emile_cipher_init()) return ; rsa = EVP_PKEY_get1_RSA(key->private_key); if (rsa) { fprintf(out, "Private key (RSA):\n"); RSA_print_fp(out, rsa, 0); } dsa = EVP_PKEY_get1_DSA(key->private_key); if (dsa) { fprintf(out, "Private key (DSA):\n"); DSA_print_fp(out, dsa, 0); } dh = EVP_PKEY_get1_DH(key->private_key); if (dh) { fprintf(out, "Private key (DH):\n"); DHparams_print_fp(out, dh); } fprintf(out, "Public certificate:\n"); X509_print_fp(out, key->certificate); # endif /* ifdef HAVE_GNUTLS */ #else /* ifdef HAVE_SIGNATURE */ key = NULL; out = NULL; ERR("You need to compile signature support in EET."); #endif /* ifdef HAVE_SIGNATURE */ }
static void inf_test_certificate_request_finished_cb(InfRequest* request, const InfRequestResult* result, const GError* error, gpointer user_data) { InfTestCertificateRequest* test; InfCertificateChain* chain; guint n_certs; guint i; gnutls_datum_t datum; gnutls_x509_crt_t cert; size_t cert_size; gchar* cert_pem; test = (InfTestCertificateRequest*)user_data; if(error != NULL) { fprintf(stderr, "Error: %s\n", error->message); } else { fprintf(stderr, "Certificate generated!\n\n"); inf_request_result_get_create_acl_account(result, NULL, NULL, &chain); n_certs = inf_certificate_chain_get_n_certificates(chain); for(i = 0; i < n_certs; ++i) { fprintf(stderr, "Certificate %d", i); if(i == 0) fprintf(stderr, " (own)"); if(i == 1) fprintf(stderr, " (issuer)"); if(i == n_certs - 1) fprintf(stderr, " (CA)"); fprintf(stderr, ":\n\n"); cert = inf_certificate_chain_get_nth_certificate(chain, i); gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_FULL, &datum); fprintf(stderr, "%s\n", datum.data); gnutls_free(datum.data); } for(i = 0; i < n_certs; ++i) { cert = inf_certificate_chain_get_nth_certificate(chain, i); cert_size = 0; gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, NULL, &cert_size); cert_pem = g_malloc(cert_size); gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, cert_pem, &cert_size); printf("%s\n\n", cert_pem); g_free(cert_pem); } cert_size = 0; gnutls_x509_privkey_export( test->key, GNUTLS_X509_FMT_PEM, NULL, &cert_size ); cert_pem = g_malloc(cert_size); gnutls_x509_privkey_export( test->key, GNUTLS_X509_FMT_PEM, cert_pem, &cert_size ); printf("%s\n", cert_pem); g_free(cert_pem); } if(inf_standalone_io_loop_running(test->io)) inf_standalone_io_loop_quit(test->io); }
static int _verify_response (gnutls_datum_t *data) { gnutls_ocsp_resp_t resp; int ret; size_t size; gnutls_x509_crt_t *x509_ca_list = NULL; unsigned int x509_ncas = 0; gnutls_x509_trust_list_t list; gnutls_x509_crt_t signer; unsigned verify; gnutls_datum_t dat; ret = gnutls_ocsp_resp_init (&resp); if (ret < 0) error (EXIT_FAILURE, 0, "ocsp_resp_init: %s", gnutls_strerror (ret)); ret = gnutls_ocsp_resp_import (resp, data); if (ret < 0) error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret)); if (HAVE_OPT(LOAD_TRUST)) { dat.data = (void*)read_binary_file (OPT_ARG(LOAD_TRUST), &size); if (dat.data == NULL) error (EXIT_FAILURE, errno, "reading --load-trust: %s", OPT_ARG(LOAD_TRUST)); dat.size = size; ret = gnutls_x509_trust_list_init (&list, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_trust_list_init: %s", gnutls_strerror (ret)); ret = gnutls_x509_crt_list_import2 (&x509_ca_list, &x509_ncas, &dat, GNUTLS_X509_FMT_PEM, 0); if (ret < 0 || x509_ncas < 1) error (EXIT_FAILURE, 0, "error parsing CAs: %s", gnutls_strerror (ret)); if (HAVE_OPT(VERBOSE)) { unsigned int i; printf ("Trust anchors:\n"); for (i = 0; i < x509_ncas; i++) { gnutls_datum_t out; ret = gnutls_x509_crt_print (x509_ca_list[i], GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s", gnutls_strerror (ret)); printf ("%d: %.*s\n", i, out.size, out.data); gnutls_free (out.data); } printf("\n"); } ret = gnutls_x509_trust_list_add_cas (list, x509_ca_list, x509_ncas, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_cas: %s", gnutls_strerror (ret)); if (HAVE_OPT(VERBOSE)) fprintf (stdout, "Loaded %d trust anchors\n", x509_ncas); ret = gnutls_ocsp_resp_verify (resp, list, &verify, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s", gnutls_strerror (ret)); } else if (HAVE_OPT(LOAD_SIGNER)) { ret = gnutls_x509_crt_init (&signer); if (ret < 0) error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret)); dat.data = (void*)read_binary_file (OPT_ARG(LOAD_SIGNER), &size); if (dat.data == NULL) error (EXIT_FAILURE, errno, "reading --load-signer: %s", OPT_ARG(LOAD_SIGNER)); dat.size = size; ret = gnutls_x509_crt_import (signer, &dat, encoding); free (dat.data); if (ret < 0) error (EXIT_FAILURE, 0, "importing --load-signer: %s: %s", OPT_ARG(LOAD_SIGNER), gnutls_strerror (ret)); if (HAVE_OPT(VERBOSE)) { gnutls_datum_t out; ret = gnutls_x509_crt_print (signer, GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s", gnutls_strerror (ret)); printf ("Signer: %.*s\n", out.size, out.data); gnutls_free (out.data); printf("\n"); } ret = gnutls_ocsp_resp_verify_direct (resp, signer, &verify, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify_direct: %s", gnutls_strerror (ret)); } else error (EXIT_FAILURE, 0, "missing --load-trust or --load-signer"); printf ("Verifying OCSP Response: "); print_ocsp_verify_res (verify); printf (".\n"); gnutls_ocsp_resp_deinit (resp); return verify; }
static void run_set_extensions(gnutls_x509_crq_t crq) { gnutls_x509_crt_t crt; const char *err = NULL; gnutls_datum_t out; int ret; ret = global_init(); if (ret < 0) fail("global_init\n"); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); ret = gnutls_x509_crt_init(&crt); if (ret != 0) fail("gnutls_x509_crt_init\n"); ret = gnutls_x509_crt_set_crq(crt, crq); if (ret != 0) fail("gnutls_x509_crt_set_crq: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_set_issuer_dn(crt, "o = big\\, and one, cn = my CA", &err); if (ret < 0) { fail("gnutls_x509_crt_set_issuer_dn: %s, %s\n", gnutls_strerror(ret), err); } ret = gnutls_x509_crt_set_version(crt, 3); if (ret != 0) fail("gnutls_x509_crt_set_version\n"); ret = gnutls_x509_crt_set_crq_extensions(crt, crq); if (ret != 0) fail("gnutls_x509_crt_set_crq_extensions\n"); ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out); if (ret != 0) fail("gnutls_x509_crt_print\n"); if (debug) printf("crt: %.*s\n", out.size, out.data); gnutls_free(out.data); ret = gnutls_x509_crt_get_raw_issuer_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_issuer_dn: %s\n", gnutls_strerror(ret)); if (out.size != 41 || memcmp(out.data, "\x30\x27\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6d\x79\x20\x43\x41\x31\x15\x30\x13\x06\x03\x55\x04\x0a\x13\x0c\x62\x69\x67\x2c\x20\x61\x6e\x64\x20\x6f\x6e\x65", 41) != 0) { hexprint(out.data, out.size); fail("issuer DN comparison failed\n"); } gnutls_free(out.data); ret = gnutls_x509_crt_get_raw_dn(crt, &out); if (ret < 0 || out.size == 0) fail("gnutls_x509_crt_get_raw_dn: %s\n", gnutls_strerror(ret)); if (out.size != 45 || memcmp(out.data, "\x30\x2b\x31\x0e\x30\x0c\x06\x03\x55\x04\x03\x13\x05\x6e\x69\x6b\x6f\x73\x31\x19\x30\x17\x06\x03\x55\x04\x0a\x13\x10\x6e\x6f\x6e\x65\x20\x74\x6f\x2c\x20\x6d\x65\x6e\x74\x69\x6f\x6e", 45) != 0) { fail("DN comparison failed\n"); } gnutls_free(out.data); gnutls_x509_crt_deinit(crt); gnutls_global_deinit(); }
void doit(void) { char buf[128]; int exit_val = 0; int ret; unsigned j; const char *lib, *bin; gnutls_x509_crt_t issuer = NULL; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t certs[MAX_CHAIN]; gnutls_x509_crt_t end, ca; unsigned verify_status = 0; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, "trusted"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } for (j = 0; ca_list[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init(&certs[j]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init[%d,%d]: %s\n", (int) 3, (int) j, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) ca_list[j]; tmp.size = strlen(ca_list[j]); ret = gnutls_x509_crt_import(certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import[%d]: %s\n", (int) j, gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free(tmp.data); } if (debug > 2) printf("\tAdding end certificate..."); ret = gnutls_x509_crt_init(&end); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) v1_root_check[0]; tmp.size = strlen(v1_root_check[0]); ret = gnutls_x509_crt_import(end, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tEnd Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); ret = gnutls_x509_crt_init(&ca); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) v1_root_check[1]; tmp.size = strlen(v1_root_check[1]); ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug > 2) printf("done\n"); if (debug) printf("\tChecking presence and verification..."); /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init\n"); exit(1); } /* write CA certificate to softhsm */ for (j = 0; ca_list[j]; j++) { char name[64]; snprintf(name, sizeof(name), "test-ca%d", j); ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); exit(1); } } gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_trust_file\n"); exit(1); } ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_cas\n"); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, end, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, ca, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret != 0) { fail("gnutls_pkcs11_crt_is_known should have failed!\n"); exit(1); } ret = gnutls_x509_trust_list_verify_crt2(tl, &end, 1, NULL, 0, GNUTLS_VERIFY_DISABLE_TIME_CHECKS, &verify_status, NULL); if (ret < 0) { fail("gnutls_x509_trust_list_verify_crt2 should have succeeded\n"); exit(1); } if (verify_status != 0) { fail("verification should have succeeded: %.2x\n", verify_status); exit(1); } if (debug) printf("\tCleanup..."); gnutls_x509_trust_list_deinit(tl, 0); gnutls_x509_crt_deinit(ca); gnutls_x509_crt_deinit(end); for (j = 0; ca_list[j]; j++) { gnutls_x509_crt_deinit(certs[j]); } if (debug) printf("done\n\n\n"); gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); remove(CONFIG); exit(exit_val); }
EAPI void eet_identity_certificate_print(const unsigned char *certificate, int der_length, FILE *out) { #ifdef HAVE_SIGNATURE if (!certificate || !out || der_length <= 0) { ERR("No certificate provided."); return; } if (!emile_cipher_init()) return ; # ifdef HAVE_GNUTLS gnutls_datum_t datum; gnutls_x509_crt_t cert; /* Create an understanding certificate structure for gnutls */ datum.data = (void *)certificate; datum.size = der_length; if (gnutls_x509_crt_init(&cert)) goto on_error; if (gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) goto on_error; /* Pretty print the certificate */ datum.data = NULL; datum.size = 0; if (gnutls_x509_crt_print(cert, GNUTLS_X509_CRT_FULL, &datum)) goto on_error; INF("Public certificate :"); INF("%s", datum.data); on_error: if (datum.data) gnutls_free(datum.data); gnutls_x509_crt_deinit(cert); # else /* ifdef HAVE_GNUTLS */ const unsigned char *tmp; X509 *x509; /* Strange but d2i_X509 seems to put 0 all over the place. */ tmp = alloca(der_length); memcpy((char *)tmp, certificate, der_length); x509 = d2i_X509(NULL, &tmp, der_length); if (!x509) { INF("Not a valid certificate."); return; } INF("Public certificate :"); X509_print_fp(out, x509); X509_free(x509); # endif /* ifdef HAVE_GNUTLS */ #else /* ifdef HAVE_SIGNATURE */ certificate = NULL; der_length = 0; out = NULL; ERR("You need to compile signature support in EET."); #endif /* ifdef HAVE_SIGNATURE */ }
void doit(void) { char buf[128]; int ret; const char *lib, *bin; gnutls_x509_crt_t crt; gnutls_x509_privkey_t key; gnutls_datum_t tmp, sig; gnutls_privkey_t pkey; gnutls_pubkey_t pubkey; gnutls_pubkey_t pubkey2; unsigned i, sigalgo; bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin " PIN " --pin " PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, NULL); if (ret < 0) { fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); } if (verify_eddsa_presence() == 0) { fprintf(stderr, "Skipping test as no EDDSA mech is supported\n"); exit(77); } ret = gnutls_x509_crt_init(&crt); if (ret < 0) fail("gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); ret = gnutls_x509_crt_import(crt, &server_ca3_eddsa_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); if (debug) { gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp); printf("\tCertificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); } ret = gnutls_x509_privkey_init(&key); if (ret < 0) { fail("gnutls_x509_privkey_init: %s\n", gnutls_strerror(ret)); } ret = gnutls_x509_privkey_import(key, &server_ca3_eddsa_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { fail("gnutls_x509_privkey_import: %s\n", gnutls_strerror(ret)); } /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret)); } ret = gnutls_pkcs11_token_set_pin(SOFTHSM_URL, NULL, PIN, GNUTLS_PIN_USER); if (ret < 0) { fail("gnutls_pkcs11_token_set_pin: %s\n", gnutls_strerror(ret)); } ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, crt, "cert", GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); } ret = gnutls_pkcs11_copy_x509_privkey(SOFTHSM_URL, key, "cert", GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE | GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE | GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_privkey: %s\n", gnutls_strerror(ret)); } gnutls_x509_crt_deinit(crt); gnutls_x509_privkey_deinit(key); gnutls_pkcs11_set_pin_function(NULL, NULL); assert(gnutls_privkey_init(&pkey) == 0); ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL ";object=cert;object-type=private;pin-value=" PIN); if (ret < 0) { fail("error in gnutls_privkey_import_pkcs11_url: %s\n", gnutls_strerror(ret)); } assert(gnutls_pubkey_init(&pubkey) == 0); assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); assert(gnutls_pubkey_init(&pubkey2) == 0); assert(gnutls_pubkey_import_x509_raw (pubkey2, &server_ca3_eddsa_cert, GNUTLS_X509_FMT_PEM, 0) == 0); /* this is the algorithm supported by the certificate */ sigalgo = GNUTLS_SIGN_EDDSA_ED25519; for (i = 0; i < 20; i++) { /* check whether privkey and pubkey are operational * by signing and verifying */ ret = gnutls_privkey_sign_data2(pkey, sigalgo, 0, &testdata, &sig); if (ret < 0) myfail("Error signing data %s\n", gnutls_strerror(ret)); /* verify against the pubkey in PKCS #11 */ ret = gnutls_pubkey_verify_data2(pubkey, sigalgo, 0, &testdata, &sig); if (ret < 0) myfail("Error verifying data1: %s\n", gnutls_strerror(ret)); /* verify against the raw pubkey */ ret = gnutls_pubkey_verify_data2(pubkey2, sigalgo, 0, &testdata, &sig); if (ret < 0) myfail("Error verifying data2: %s\n", gnutls_strerror(ret)); gnutls_free(sig.data); } gnutls_pubkey_deinit(pubkey2); gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(pkey); gnutls_global_deinit(); remove(CONFIG); }
void doit (void) { int exit_val = 0; size_t i; int ret; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif ret = gnutls_global_init (); if (ret != 0) { fail ("%d: %s\n", ret, gnutls_strerror (ret)); exit (EXIT_FAILURE); } gnutls_global_set_time_function (mytime); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); for (i = 0; chains[i].chain; i++) { unsigned int verify_status; gnutls_x509_crt_t certs[4]; gnutls_x509_crt_t ca; gnutls_datum_t tmp; size_t j; if (debug) printf ("Chain '%s' (%d)...\n", chains[i].name, (int) i); for (j = 0; chains[i].chain[j]; j++) { if (debug > 2) printf ("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init (&certs[j]); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_init[%d,%d]: %s", (int) i, (int) j, gnutls_strerror (ret)); tmp.data = (unsigned char *) chains[i].chain[j]; tmp.size = strlen (chains[i].chain[j]); ret = gnutls_x509_crt_import (certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf ("done\n"); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_import[%d,%d]: %s", (int) i, (int) j, gnutls_strerror (ret)); gnutls_x509_crt_print (certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf ("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free (tmp.data); } if (debug > 2) printf ("\tAdding CA certificate..."); ret = gnutls_x509_crt_init (&ca); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_init: %s", gnutls_strerror (ret)); tmp.data = (unsigned char *) *chains[i].ca; tmp.size = strlen (*chains[i].ca); ret = gnutls_x509_crt_import (ca, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_import: %s", gnutls_strerror (ret)); if (debug > 2) printf ("done\n"); gnutls_x509_crt_print (ca, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf ("\tCA Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free (tmp.data); if (debug) printf ("\tVerifying..."); ret = gnutls_x509_crt_list_verify (certs, j, &ca, 1, NULL, 0, chains[i].verify_flags, &verify_status); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify[%d,%d]: %s", (int) i, (int) j, gnutls_strerror (ret)); if (verify_status != chains[i].expected_verify_result) { fail ("chain[%s]: verify_status: %d expected: %d\n", chains[i].name, verify_status, chains[i].expected_verify_result); #if 0 j = 0; do { fprintf (stderr, "%s\n", chains[i].chain[j]); } while (chains[i].chain[++j] != NULL); #endif if (!debug) exit (1); } else if (debug) printf ("done\n"); if (debug) printf ("\tCleanup..."); gnutls_x509_crt_deinit (ca); for (j = 0; chains[i].chain[j]; j++) gnutls_x509_crt_deinit (certs[j]); if (debug) printf ("done\n\n\n"); } gnutls_global_deinit (); if (debug) printf ("Exit status...%d\n", exit_val); exit (exit_val); }
void doit (void) { int exit_val = 0; size_t i; int ret; ret = gnutls_global_init (); if (ret != 0) { fail ("%d: %s\n", ret, gnutls_strerror (ret)); exit (EXIT_FAILURE); } gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (4711); for (i = 0; chains[i].chain; i++) { unsigned int verify_status; gnutls_x509_crt_t certs[4]; gnutls_x509_crt_t ca; gnutls_datum_t tmp; size_t j; if (debug) printf ("Chain '%s' (%d)...\n", chains[i].name, (int) i); for (j = 0; chains[i].chain[j]; j++) { if (debug) printf ("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init (&certs[j]); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_init[%d,%d]: %s", (int) i, (int) j, gnutls_strerror (ret)); tmp.data = (char *) chains[i].chain[j]; tmp.size = strlen (chains[i].chain[j]); ret = gnutls_x509_crt_import (certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug) printf ("done\n"); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_import[%d,%d]: %s", (int) i, (int) j, gnutls_strerror (ret)); gnutls_x509_crt_print (certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf ("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free (tmp.data); } if (debug) printf ("\tAdding CA certificate..."); ret = gnutls_x509_crt_init (&ca); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_init: %s", gnutls_strerror (ret)); tmp.data = (char *) *chains[i].ca; tmp.size = strlen (*chains[i].ca); ret = gnutls_x509_crt_import (ca, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_import: %s", gnutls_strerror (ret)); if (debug) printf ("done\n"); gnutls_x509_crt_print (ca, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf ("\tCA Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free (tmp.data); if (debug) printf ("\tVerifying..."); ret = gnutls_x509_crt_list_verify (certs, j, &ca, 1, NULL, 0, chains[i].verify_flags, &verify_status); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify[%d,%d]: %s", (int) i, (int) j, gnutls_strerror (ret)); if (verify_status != chains[i].expected_verify_result) { fail ("verify_status: %d expected: %d", verify_status, chains[i].expected_verify_result); if (!debug) exit (1); } else if (debug) printf ("done\n"); if (debug) printf ("\tCleanup..."); gnutls_x509_crt_deinit (ca); for (j = 0; chains[i].chain[j]; j++) gnutls_x509_crt_deinit (certs[j]); if (debug) printf ("done\n"); } gnutls_global_deinit (); if (debug) printf ("Exit status...%d\n", exit_val); exit (exit_val); }
static void print_resp(gnutls_buffer_st * str, gnutls_ocsp_resp_t resp, gnutls_ocsp_print_formats_t format) { int ret; unsigned indx; ret = gnutls_ocsp_resp_get_status(resp); if (ret < 0) { addf(str, "error: ocsp_resp_get_status: %s\n", gnutls_strerror(ret)); return; } adds(str, "\tResponse Status: "); switch (ret) { case GNUTLS_OCSP_RESP_SUCCESSFUL: adds(str, "Successful\n"); break; case GNUTLS_OCSP_RESP_MALFORMEDREQUEST: adds(str, "malformedRequest\n"); return; case GNUTLS_OCSP_RESP_INTERNALERROR: adds(str, "internalError\n"); return; case GNUTLS_OCSP_RESP_TRYLATER: adds(str, "tryLater\n"); return; case GNUTLS_OCSP_RESP_SIGREQUIRED: adds(str, "sigRequired\n"); return; case GNUTLS_OCSP_RESP_UNAUTHORIZED: adds(str, "unauthorized\n"); return; default: adds(str, "unknown\n"); return; } { gnutls_datum_t oid; ret = gnutls_ocsp_resp_get_response(resp, &oid, NULL); if (ret < 0) { addf(str, "error: get_response: %s\n", gnutls_strerror(ret)); return; } adds(str, "\tResponse Type: "); #define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" if (oid.size == sizeof(OCSP_BASIC) && memcmp(oid.data, OCSP_BASIC, oid.size) == 0) { adds(str, "Basic OCSP Response\n"); gnutls_free(oid.data); } else { addf(str, "Unknown response type (%.*s)\n", oid.size, oid.data); gnutls_free(oid.data); return; } } /* Version. */ { int version = gnutls_ocsp_resp_get_version(resp); if (version < 0) addf(str, "error: get_version: %s\n", gnutls_strerror(version)); else addf(str, _("\tVersion: %d\n"), version); } /* responderID */ { gnutls_datum_t dn; ret = gnutls_ocsp_resp_get_responder(resp, &dn); if (ret < 0 || dn.data == NULL) { if (dn.data == 0) { ret = gnutls_ocsp_resp_get_responder_raw_id(resp, GNUTLS_OCSP_RESP_ID_KEY, &dn); if (ret >= 0) { addf(str, _("\tResponder Key ID: ")); _gnutls_buffer_hexprint(str, dn.data, dn.size); adds(str, "\n"); } gnutls_free(dn.data); } else { addf(str, "error: get_dn: %s\n", gnutls_strerror(ret)); } } else { if (dn.data != NULL) { addf(str, _("\tResponder ID: %.*s\n"), dn.size, dn.data); gnutls_free(dn.data); } } } { char s[42]; size_t max = sizeof(s); struct tm t; time_t tim = gnutls_ocsp_resp_get_produced(resp); if (tim == (time_t) - 1) addf(str, "error: ocsp_resp_get_produced\n"); else if (gmtime_r(&tim, &t) == NULL) addf(str, "error: gmtime_r (%ld)\n", (unsigned long) tim); else if (strftime(s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) addf(str, "error: strftime (%ld)\n", (unsigned long) tim); else addf(str, _("\tProduced At: %s\n"), s); } addf(str, "\tResponses:\n"); for (indx = 0;; indx++) { gnutls_digest_algorithm_t digest; gnutls_datum_t in, ik, sn; unsigned int cert_status; time_t this_update; time_t next_update; time_t revocation_time; unsigned int revocation_reason; ret = gnutls_ocsp_resp_get_single(resp, indx, &digest, &in, &ik, &sn, &cert_status, &this_update, &next_update, &revocation_time, &revocation_reason); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; addf(str, "\t\tCertificate ID:\n"); if (ret != GNUTLS_E_SUCCESS) { addf(str, "error: get_singleresponse: %s\n", gnutls_strerror(ret)); continue; } addf(str, "\t\t\tHash Algorithm: %s\n", _gnutls_digest_get_name(hash_to_entry(digest))); adds(str, "\t\t\tIssuer Name Hash: "); _gnutls_buffer_hexprint(str, in.data, in.size); adds(str, "\n"); adds(str, "\t\t\tIssuer Key Hash: "); _gnutls_buffer_hexprint(str, ik.data, ik.size); adds(str, "\n"); adds(str, "\t\t\tSerial Number: "); _gnutls_buffer_hexprint(str, sn.data, sn.size); adds(str, "\n"); gnutls_free(in.data); gnutls_free(ik.data); gnutls_free(sn.data); { const char *p = NULL; switch (cert_status) { case GNUTLS_OCSP_CERT_GOOD: p = "good"; break; case GNUTLS_OCSP_CERT_REVOKED: p = "revoked"; break; case GNUTLS_OCSP_CERT_UNKNOWN: p = "unknown"; break; default: addf(str, "\t\tCertificate Status: unexpected value %d\n", cert_status); break; } if (p) addf(str, "\t\tCertificate Status: %s\n", p); } /* XXX revocation reason */ if (cert_status == GNUTLS_OCSP_CERT_REVOKED) { char s[42]; size_t max = sizeof(s); struct tm t; if (revocation_time == (time_t) - 1) addf(str, "error: revocation_time\n"); else if (gmtime_r(&revocation_time, &t) == NULL) addf(str, "error: gmtime_r (%ld)\n", (unsigned long) revocation_time); else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) addf(str, "error: strftime (%ld)\n", (unsigned long) revocation_time); else addf(str, _("\t\tRevocation time: %s\n"), s); } { char s[42]; size_t max = sizeof(s); struct tm t; if (this_update == (time_t) - 1) addf(str, "error: this_update\n"); else if (gmtime_r(&this_update, &t) == NULL) addf(str, "error: gmtime_r (%ld)\n", (unsigned long) this_update); else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) addf(str, "error: strftime (%ld)\n", (unsigned long) this_update); else addf(str, _("\t\tThis Update: %s\n"), s); } { char s[42]; size_t max = sizeof(s); struct tm t; if (next_update != (time_t) - 1) { if (gmtime_r(&next_update, &t) == NULL) addf(str, "error: gmtime_r (%ld)\n", (unsigned long) next_update); else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) addf(str, "error: strftime (%ld)\n", (unsigned long) next_update); else addf(str, _("\t\tNext Update: %s\n"), s); } } /* XXX singleRequestExtensions */ } adds(str, "\tExtensions:\n"); for (indx = 0;; indx++) { gnutls_datum_t oid; unsigned int critical; gnutls_datum_t data; ret = gnutls_ocsp_resp_get_extension(resp, indx, &oid, &critical, &data); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) break; else if (ret != GNUTLS_E_SUCCESS) { addf(str, "error: get_extension: %s\n", gnutls_strerror(ret)); continue; } if (oid.size == sizeof(GNUTLS_OCSP_NONCE) && memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { gnutls_datum_t nonce; unsigned int ncrit; ret = gnutls_ocsp_resp_get_nonce(resp, &ncrit, &nonce); if (ret != GNUTLS_E_SUCCESS) { addf(str, "error: get_nonce: %s\n", gnutls_strerror(ret)); } else { addf(str, "\t\tNonce%s: ", ncrit ? " (critical)" : ""); _gnutls_buffer_hexprint(str, nonce.data, nonce.size); adds(str, "\n"); gnutls_free(nonce.data); } } else { addf(str, "\t\tUnknown extension %s (%s):\n", oid.data, critical ? "critical" : "not critical"); adds(str, _("\t\t\tASCII: ")); _gnutls_buffer_asciiprint(str, (char *) data.data, data.size); addf(str, "\n"); adds(str, _("\t\t\tHexdump: ")); _gnutls_buffer_hexprint(str, (char *) data.data, data.size); adds(str, "\n"); } gnutls_free(oid.data); gnutls_free(data.data); } /* Signature. */ if (format == GNUTLS_OCSP_PRINT_FULL) { gnutls_datum_t sig; ret = gnutls_ocsp_resp_get_signature_algorithm(resp); if (ret < 0) addf(str, "error: get_signature_algorithm: %s\n", gnutls_strerror(ret)); else { const char *name = gnutls_sign_algorithm_get_name(ret); if (name == NULL) name = _("unknown"); addf(str, _("\tSignature Algorithm: %s\n"), name); } if (ret != GNUTLS_SIGN_UNKNOWN && gnutls_sign_is_secure(ret) == 0) { adds(str, _("warning: signed using a broken signature " "algorithm that can be forged.\n")); } ret = gnutls_ocsp_resp_get_signature(resp, &sig); if (ret < 0) addf(str, "error: get_signature: %s\n", gnutls_strerror(ret)); else { adds(str, _("\tSignature:\n")); _gnutls_buffer_hexdump(str, sig.data, sig.size, "\t\t"); gnutls_free(sig.data); } } /* certs */ if (format == GNUTLS_OCSP_PRINT_FULL) { gnutls_x509_crt_t *certs; size_t ncerts, i; gnutls_datum_t out; ret = gnutls_ocsp_resp_get_certs(resp, &certs, &ncerts); if (ret < 0) addf(str, "error: get_certs: %s\n", gnutls_strerror(ret)); else { if (ncerts > 0) addf(str, "\tAdditional certificates:\n"); for (i = 0; i < ncerts; i++) { size_t s = 0; ret = gnutls_x509_crt_print(certs[i], GNUTLS_CRT_PRINT_FULL, &out); if (ret < 0) addf(str, "error: crt_print: %s\n", gnutls_strerror(ret)); else { addf(str, "%.*s", out.size, out.data); gnutls_free(out.data); } ret = gnutls_x509_crt_export(certs[i], GNUTLS_X509_FMT_PEM, NULL, &s); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) addf(str, "error: crt_export: %s\n", gnutls_strerror(ret)); else { out.data = gnutls_malloc(s); if (out.data == NULL) addf(str, "error: malloc: %s\n", gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); else { ret = gnutls_x509_crt_export (certs[i], GNUTLS_X509_FMT_PEM, out.data, &s); if (ret < 0) addf(str, "error: crt_export: %s\n", gnutls_strerror (ret)); else { out.size = s; addf(str, "%.*s", out.size, out.data); } gnutls_free(out.data); } } gnutls_x509_crt_deinit(certs[i]); } gnutls_free(certs); } } }
void doit(void) { int exit_val = 0; size_t i; int ret; gnutls_x509_trust_list_t tl; unsigned int verify_status; gnutls_x509_crl_t crl; gnutls_x509_crt_t ca; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); for (i = 0; crl_list[i].name; i++) { if (debug) printf("Chain '%s' (%d)...\n", crl_list[i].name, (int) i); if (debug > 2) printf("\tAdding CRL..."); ret = gnutls_x509_crl_init(&crl); if (ret < 0) { fprintf(stderr, "gnutls_x509_crl_init[%d]: %s\n", (int) i, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) *crl_list[i].crl; tmp.size = strlen(*crl_list[i].crl); ret = gnutls_x509_crl_import(crl, &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crl_import[%s]: %s\n", crl_list[i].name, gnutls_strerror(ret)); exit(1); } gnutls_x509_crl_print(crl, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCRL: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug > 2) printf("\tAdding CA certificate..."); ret = gnutls_x509_crt_init(&ca); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) *crl_list[i].ca; tmp.size = strlen(*crl_list[i].ca); ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } if (debug > 2) printf("done\n"); gnutls_x509_crt_print(ca, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug) printf("\tVerifying..."); ret = gnutls_x509_crl_verify(crl, &ca, 1, crl_list[i].verify_flags, &verify_status); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_list_verify[%d]: %s\n", (int) i, gnutls_strerror(ret)); exit(1); } if (verify_status != crl_list[i].expected_verify_result) { gnutls_datum_t out1, out2; gnutls_certificate_verification_status_print (verify_status, GNUTLS_CRT_X509, &out1, 0); gnutls_certificate_verification_status_print(crl_list [i]. expected_verify_result, GNUTLS_CRT_X509, &out2, 0); fail("chain[%s]:\nverify_status: %d: %s\nexpected: %d: %s\n", crl_list[i].name, verify_status, out1.data, crl_list[i].expected_verify_result, out2.data); gnutls_free(out1.data); gnutls_free(out2.data); if (!debug) exit(1); } else if (debug) printf("done\n"); gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0); if (ret != 1) { fail("gnutls_x509_trust_list_add_trust_mem\n"); exit(1); } /* make sure that the two functions don't diverge */ ret = gnutls_x509_trust_list_add_crls(tl, &crl, 1, GNUTLS_TL_VERIFY_CRL, crl_list[i].verify_flags); if (crl_list[i].expected_verify_result == 0 && ret < 0) { fprintf(stderr, "gnutls_x509_trust_list_add_crls[%d]: %s\n", (int) i, gnutls_strerror(ret)); exit(1); } if (crl_list[i].expected_verify_result != 0 && ret > 0) { fprintf(stderr, "gnutls_x509_trust_list_add_crls[%d]: succeeded when it shouldn't\n", (int) i); exit(1); } if (debug) printf("\tCleanup..."); gnutls_x509_trust_list_deinit(tl, 0); gnutls_x509_crt_deinit(ca); gnutls_x509_crl_deinit(crl); if (debug) printf("done\n\n\n"); } gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); exit(exit_val); }
static void print_x509_info (gnutls_session_t session, int flag, int print_cert) { gnutls_x509_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0, j; int ret; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size == 0) { fprintf (stderr, "No certificates found!\n"); return; } printf ("- Certificate type: X.509\n"); printf ("- Got a certificate list of %d certificates.\n", cert_list_size); for (j = 0; j < cert_list_size; j++) { gnutls_datum_t cinfo; gnutls_x509_crt_init (&crt); ret = gnutls_x509_crt_import (crt, &cert_list[j], GNUTLS_X509_FMT_DER); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return; } printf ("- Certificate[%d] info:\n - ", j); ret = gnutls_x509_crt_print (crt, flag, &cinfo); if (ret == 0) { printf ("%s\n", cinfo.data); gnutls_free (cinfo.data); } if (print_cert) { size_t size = 0; char *p = NULL; ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, p, &size); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { p = malloc (size); if (!p) { fprintf (stderr, "gnutls_malloc\n"); exit (1); } ret = gnutls_x509_crt_export (crt, GNUTLS_X509_FMT_PEM, p, &size); } if (ret < 0) { fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret)); return; } fputs ("\n", stdout); fputs (p, stdout); fputs ("\n", stdout); gnutls_free (p); } gnutls_x509_crt_deinit (crt); } }
static int tds_verify_certificate(gnutls_session_t session) { unsigned int status; int ret; TDSSOCKET *tds = (TDSSOCKET *) gnutls_transport_get_ptr(session); #ifdef ENABLE_DEVELOPING unsigned int list_size; const gnutls_datum_t *cert_list; #endif if (!tds->login) return GNUTLS_E_CERTIFICATE_ERROR; ret = gnutls_certificate_verify_peers2(session, &status); if (ret < 0) { tdsdump_log(TDS_DBG_ERROR, "Error verifying certificate: %s\n", gnutls_strerror(ret)); return GNUTLS_E_CERTIFICATE_ERROR; } #ifdef ENABLE_DEVELOPING cert_list = gnutls_certificate_get_peers(session, &list_size); if (cert_list) { gnutls_x509_crt_t cert; gnutls_datum_t cinfo; char buf[8192]; size_t size; gnutls_x509_crt_init(&cert); gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER); /* This is the preferred way of printing short information about * a certificate. */ size = sizeof(buf); ret = gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM, buf, &size); if (ret == 0) { FILE *f = fopen("cert.dat", "wb"); if (f) { fwrite(buf, size, 1, f); fclose(f); } } ret = gnutls_x509_crt_print(cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo); if (ret == 0) { tdsdump_log(TDS_DBG_INFO1, "Certificate info: %s\n", cinfo.data); gnutls_free(cinfo.data); } gnutls_x509_crt_deinit(cert); } #endif /* Certificate is not trusted */ if (status != 0) { tdsdump_log(TDS_DBG_ERROR, "Certificate status: %u\n", status); return GNUTLS_E_CERTIFICATE_ERROR; } /* check hostname */ if (tds->login->check_ssl_hostname) { const gnutls_datum_t *cert_list; unsigned int list_size; gnutls_x509_crt_t cert; cert_list = gnutls_certificate_get_peers(session, &list_size); if (!cert_list) { tdsdump_log(TDS_DBG_ERROR, "Error getting TLS session peers\n"); return GNUTLS_E_CERTIFICATE_ERROR; } gnutls_x509_crt_init(&cert); gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER); ret = gnutls_x509_crt_check_hostname(cert, tds_dstr_cstr(&tds->login->server_host_name)); gnutls_x509_crt_deinit(cert); if (!ret) { tdsdump_log(TDS_DBG_ERROR, "Certificate hostname does not match\n"); return GNUTLS_E_CERTIFICATE_ERROR; } } /* notify gnutls to continue handshake normally */ return 0; }