/* returns true or false, depending on whether the hostname
* matches to certificate */
static int
verify_openpgp_hostname (gnutls_session_t session, const char *hostname)
{
gnutls_openpgp_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list_size == 0)
{
fprintf (stderr, "No certificates found!\n");
return 0;
}
gnutls_openpgp_crt_init (&crt);
ret =
gnutls_openpgp_crt_import (crt, &cert_list[0],
GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0)
{
fprintf (stderr, "Decoding error: %s\n",
gnutls_strerror (ret));
return 0;
}
/* Check the hostname of the first certificate if it matches
* the name of the host we connected to.
*/
if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0)
{
printf
("- The hostname in the certificate does NOT match '%s'\n",
hostname);
ret = 0;
}
else
{
printf ("- The hostname in the certificate matches '%s'.\n",
hostname);
ret = 1;
}
gnutls_openpgp_crt_deinit (crt);
return ret;
}
void doit(void)
{
gnutls_x509_crt_t x509;
#ifdef ENABLE_OPENPGP
gnutls_openpgp_crt_t pgp;
#endif
gnutls_datum_t data;
int ret;
ret = global_init();
if (ret < 0)
fail("global_init: %d\n", ret);
ret = gnutls_x509_crt_init(&x509);
if (ret < 0)
fail("gnutls_x509_crt_init: %d\n", ret);
#ifdef ENABLE_OPENPGP
ret = gnutls_openpgp_crt_init(&pgp);
if (ret < 0)
fail("gnutls_openpgp_crt_init: %d\n", ret);
#endif
if (debug)
success("Testing wildcards...\n");
data.data = (unsigned char *) wildcards;
data.size = strlen(wildcards);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.net");
if (ret==0)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem1...\n");
data.data = (unsigned char *) pem1;
data.size = strlen(pem1);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem2...\n");
data.data = (unsigned char *) pem2;
data.size = strlen(pem2);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "*.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem3...\n");
data.data = (unsigned char *) pem3;
data.size = strlen(pem3);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "*.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem4...\n");
data.data = (unsigned char *) pem4;
data.size = strlen(pem4);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname2(x509, "www.example.org", GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
#ifdef SUPPORT_COMPLEX_WILDCARDS
if (debug)
success("Testing pem6...\n");
data.data = (unsigned char *) pem6;
data.size = strlen(pem6);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "bar.foo.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem7...\n");
data.data = (unsigned char *) pem7;
data.size = strlen(pem7);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.bar.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret =
gnutls_x509_crt_check_hostname(x509, "foobar.bar.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foobar.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret =
gnutls_x509_crt_check_hostname(x509, "foobazbar.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
#endif
if (debug)
success("Testing pem8...\n");
data.data = (unsigned char *) pem8;
data.size = strlen(pem8);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
/* this was passing in old gnutls versions, but that was not a
* good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380
* for a discussion. */
ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
/* this was passing in old gnutls versions, but that was not a
* good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380
* for a discussion. */
ret = gnutls_x509_crt_check_hostname(x509, "www.example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.foo.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem9...\n");
data.data = (unsigned char *) pem9;
data.size = strlen(pem9);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "bar.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem10...\n");
data.data = (unsigned char *) pem10;
data.size = strlen(pem10);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "localhost");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem_too_many...\n");
data.data = (unsigned char *) pem_too_many;
data.size = strlen(pem_too_many);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret =
gnutls_x509_crt_check_hostname(x509,
"localhost.gnutls.gnutls.org");
if (ret)
fail("%d: Hostname verification should have failed (too many wildcards)\n", __LINE__);
if (debug)
success("Testing pem-ips...\n");
data.data = (unsigned char *) pem_ips;
data.size = strlen(pem_ips);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.2");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.1");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "192.168.5.1");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "::1");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "fe80::3e97:eff:fe18:359a");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
if (debug)
success("Testing multi-cns...\n");
data.data = (unsigned char *) multi_cns;
data.size = strlen(multi_cns);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example2.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example3.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
#ifdef ENABLE_OPENPGP
if (debug)
success("Testing pem11...\n");
data.data = (unsigned char *) pem11;
data.size = strlen(pem11);
ret =
gnutls_openpgp_crt_import(pgp, &data,
GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
fail("%d: gnutls_openpgp_crt_import: %d\n", __LINE__, ret);
ret = gnutls_openpgp_crt_check_hostname(pgp, "test.gnutls.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
gnutls_openpgp_crt_deinit(pgp);
#endif
gnutls_x509_crt_deinit(x509);
gnutls_global_deinit();
}
static void
print_openpgp_info (gnutls_session_t session, const char *hostname,
int insecure)
{
gnutls_openpgp_crt_t crt;
const gnutls_datum_t *cert_list;
int cert_list_size = 0;
int hostname_ok = 0;
int ret;
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list_size > 0)
{
gnutls_datum_t cinfo;
gnutls_openpgp_crt_init (&crt);
ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0)
{
fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret));
return;
}
if (verbose)
ret = gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo);
else
ret =
gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, &cinfo);
if (ret == 0)
{
printf (" - %s\n", cinfo.data);
gnutls_free (cinfo.data);
}
if (print_cert)
{
size_t size = 0;
char *p = NULL;
ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64,
p, &size);
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
p = malloc (size);
if (!p)
{
fprintf (stderr, "gnutls_malloc\n");
exit (1);
}
ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64,
p, &size);
}
if (ret < 0)
{
fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret));
return;
}
fputs (p, stdout);
fputs ("\n", stdout);
gnutls_free (p);
}
if (hostname != NULL)
{
/* Check the hostname of the first certificate if it matches
* the name of the host we connected to.
*/
if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0)
hostname_ok = 1;
else
hostname_ok = 2;
}
gnutls_openpgp_crt_deinit (crt);
}
if (hostname_ok == 1)
{
printf ("- The hostname in the certificate does NOT match '%s'\n",
hostname);
if (!insecure)
exit (1);
}
else if (hostname_ok == 2)
{
printf ("- The hostname in the certificate matches '%s'.\n", hostname);
}
}
void
doit (void)
{
gnutls_x509_crt_t x509;
#ifdef ENABLE_OPENPGP
gnutls_openpgp_crt_t pgp;
#endif
gnutls_datum_t data;
int ret;
ret = gnutls_global_init ();
if (ret < 0)
fail ("gnutls_global_init: %d\n", ret);
ret = gnutls_x509_crt_init (&x509);
if (ret < 0)
fail ("gnutls_x509_crt_init: %d\n", ret);
#ifdef ENABLE_OPENPGP
ret = gnutls_openpgp_crt_init (&pgp);
if (ret < 0)
fail ("gnutls_openpgp_crt_init: %d\n", ret);
#endif
if (debug)
success ("Testing pem1...\n");
data.data = pem1;
data.size = strlen (pem1);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem2...\n");
data.data = pem2;
data.size = strlen (pem2);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "*.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem3...\n");
data.data = pem3;
data.size = strlen (pem3);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "*.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem4...\n");
data.data = pem4;
data.size = strlen (pem4);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.example.com");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem5...\n");
data.data = pem5;
data.size = strlen (pem5);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "1.2.3.4");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem6...\n");
data.data = pem6;
data.size = strlen (pem6);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "bar.foo.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
if (debug)
success ("Testing pem7...\n");
data.data = pem7;
data.size = strlen (pem7);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.bar.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foobar.bar.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foobar.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foobazbar.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
if (debug)
success ("Testing pem8...\n");
data.data = pem8;
data.size = strlen (pem8);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.com");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.foo.com");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem9...\n");
data.data = pem9;
data.size = strlen (pem9);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "bar.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
if (debug)
success ("Testing pem10...\n");
data.data = pem10;
data.size = strlen (pem10);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "localhost");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
#ifdef ENABLE_OPENPGP
if (debug)
success ("Testing pem11...\n");
data.data = pem11;
data.size = strlen (pem11);
ret = gnutls_openpgp_crt_import (pgp, &data, GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
fail ("gnutls_openpgp_crt_import: %d\n", ret);
ret = gnutls_openpgp_crt_check_hostname (pgp, "test.gnutls.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
gnutls_openpgp_crt_deinit (pgp);
#endif
gnutls_x509_crt_deinit (x509);
gnutls_global_deinit ();
}
