/**
* gnutls_x509_trust_list_add_trust_mem:
* @list: The list
* @cas: A buffer containing a list of CAs (optional)
* @crls: A buffer containing a list of CRLs (optional)
* @type: The format of the certificates
* @tl_flags: flags from %gnutls_trust_list_flags_t
* @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
*
* This function will add the given certificate authorities
* to the trusted list.
*
* Returns: The number of added elements is returned.
*
* Since: 3.1
**/
int
gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
const gnutls_datum_t * cas,
const gnutls_datum_t * crls,
gnutls_x509_crt_fmt_t type,
unsigned int tl_flags,
unsigned int tl_vflags)
{
int ret;
gnutls_x509_crt_t *x509_ca_list = NULL;
gnutls_x509_crl_t *x509_crl_list = NULL;
unsigned int x509_ncas, x509_ncrls;
unsigned int r = 0;
if (cas != NULL && cas->data != NULL) {
ret =
gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas,
cas, type, 0);
if (ret < 0)
return gnutls_assert_val(ret);
ret =
gnutls_x509_trust_list_add_cas(list, x509_ca_list,
x509_ncas, tl_flags);
gnutls_free(x509_ca_list);
if (ret < 0)
return gnutls_assert_val(ret);
else
r += ret;
}
if (crls != NULL && crls->data != NULL) {
ret =
gnutls_x509_crl_list_import2(&x509_crl_list,
&x509_ncrls, crls, type,
0);
if (ret < 0)
return gnutls_assert_val(ret);
ret =
gnutls_x509_trust_list_add_crls(list, x509_crl_list,
x509_ncrls, tl_flags|GNUTLS_TL_NO_DUPLICATES,
tl_vflags);
gnutls_free(x509_crl_list);
if (ret < 0)
return gnutls_assert_val(ret);
else
r += ret;
}
return r;
}
/* This function does add a PKCS #11 object URL into trust list. The
* CA certificates are imported directly, rather than using it as a
* trusted PKCS#11 token.
*/
static
int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *url, unsigned flags)
{
gnutls_x509_crt_t *xcrt_list = NULL;
gnutls_pkcs11_obj_t *pcrt_list = NULL;
unsigned int pcrt_list_size = 0, i;
int ret;
ret =
gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
url,
GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED,
0);
if (ret < 0)
return gnutls_assert_val(ret);
if (pcrt_list_size == 0) {
ret = 0;
goto cleanup;
}
xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size);
if (xcrt_list == NULL) {
ret = GNUTLS_E_MEMORY_ERROR;
goto cleanup;
}
ret =
gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size,
pcrt_list, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size,
flags);
cleanup:
for (i = 0; i < pcrt_list_size; i++)
gnutls_pkcs11_obj_deinit(pcrt_list[i]);
gnutls_free(pcrt_list);
gnutls_free(xcrt_list);
return ret;
}
/**
* gnutls_certificate_set_x509_trust:
* @res: is a #gnutls_certificate_credentials_t type.
* @ca_list: is a list of trusted CAs
* @ca_list_size: holds the size of the CA list
*
* This function adds the trusted CAs in order to verify client
* or server certificates. In case of a client this is not required
* to be called if the certificates are not verified using
* gnutls_certificate_verify_peers2().
* This function may be called multiple times.
*
* In case of a server the CAs set here will be sent to the client if
* a certificate request is sent. This can be disabled using
* gnutls_certificate_send_x509_rdn_sequence().
*
* Returns: the number of certificates processed or a negative error code
* on error.
*
* Since: 2.4.0
**/
int
gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res,
gnutls_x509_crt_t * ca_list,
int ca_list_size)
{
int ret, i, j;
gnutls_x509_crt_t *new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t));
if (!new_list)
return GNUTLS_E_MEMORY_ERROR;
for (i = 0; i < ca_list_size; i++) {
ret = gnutls_x509_crt_init(&new_list[i]);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_x509_crt_cpy(new_list[i], ca_list[i]);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
ret =
gnutls_x509_trust_list_add_cas(res->tlist, new_list,
ca_list_size, GNUTLS_TL_USE_IN_TLS);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
gnutls_free(new_list);
return ret;
cleanup:
for (j = 0; j < i; j++)
gnutls_x509_crt_deinit(new_list[j]);
gnutls_free(new_list);
return ret;
}
/* This function will try to verify the peer's certificate chain, and
* also check if the hostname matches.
*/
void
verify_certificate_chain(const char *hostname,
const gnutls_datum_t * cert_chain,
int cert_chain_length)
{
int i;
gnutls_x509_trust_list_t tlist;
gnutls_x509_crt_t *cert;
unsigned int output;
/* Initialize the trusted certificate list. This should be done
* once on initialization. gnutls_x509_crt_list_import2() and
* gnutls_x509_crl_list_import2() can be used to load them.
*/
gnutls_x509_trust_list_init(&tlist, 0);
gnutls_x509_trust_list_add_cas(tlist, ca_list, ca_list_size, 0);
gnutls_x509_trust_list_add_crls(tlist, crl_list, crl_list_size,
GNUTLS_TL_VERIFY_CRL, 0);
cert = malloc(sizeof(*cert) * cert_chain_length);
/* Import all the certificates in the chain to
* native certificate format.
*/
for (i = 0; i < cert_chain_length; i++) {
gnutls_x509_crt_init(&cert[i]);
gnutls_x509_crt_import(cert[i], &cert_chain[i],
GNUTLS_X509_FMT_DER);
}
gnutls_x509_trust_list_verify_named_crt(tlist, cert[0], hostname,
strlen(hostname),
GNUTLS_VERIFY_DISABLE_CRL_CHECKS,
&output,
print_details_func);
/* if this certificate is not explicitly trusted verify against CAs
*/
if (output != 0) {
gnutls_x509_trust_list_verify_crt(tlist, cert,
cert_chain_length, 0,
&output,
print_details_func);
}
if (output & GNUTLS_CERT_INVALID) {
fprintf(stderr, "Not trusted");
if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
fprintf(stderr, ": no issuer was found");
if (output & GNUTLS_CERT_SIGNER_NOT_CA)
fprintf(stderr, ": issuer is not a CA");
if (output & GNUTLS_CERT_NOT_ACTIVATED)
fprintf(stderr, ": not yet activated\n");
if (output & GNUTLS_CERT_EXPIRED)
fprintf(stderr, ": expired\n");
fprintf(stderr, "\n");
} else
fprintf(stderr, "Trusted\n");
/* Check if the name in the first certificate matches our destination!
*/
if (!gnutls_x509_crt_check_hostname(cert[0], hostname)) {
printf
("The certificate's owner does not match hostname '%s'\n",
hostname);
}
gnutls_x509_trust_list_deinit(tlist, 1);
return;
}
void doit(void)
{
int exit_val = 0;
size_t i;
int ret;
gnutls_x509_trust_list_t tl;
unsigned int verify_status;
gnutls_x509_crl_t crl;
gnutls_x509_crt_t ca;
gnutls_datum_t tmp;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
for (i = 0; crl_list[i].name; i++) {
if (debug)
printf("Chain '%s' (%d)...\n", crl_list[i].name,
(int) i);
if (debug > 2)
printf("\tAdding CRL...");
ret = gnutls_x509_crl_init(&crl);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crl_init[%d]: %s\n",
(int) i,
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) *crl_list[i].crl;
tmp.size = strlen(*crl_list[i].crl);
ret =
gnutls_x509_crl_import(crl, &tmp,
GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf("done\n");
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crl_import[%s]: %s\n",
crl_list[i].name,
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crl_print(crl,
GNUTLS_CRT_PRINT_ONELINE,
&tmp);
if (debug)
printf("\tCRL: %.*s\n",
tmp.size, tmp.data);
gnutls_free(tmp.data);
if (debug > 2)
printf("\tAdding CA certificate...");
ret = gnutls_x509_crt_init(&ca);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) *crl_list[i].ca;
tmp.size = strlen(*crl_list[i].ca);
ret =
gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (debug > 2)
printf("done\n");
gnutls_x509_crt_print(ca, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tCA Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
if (debug)
printf("\tVerifying...");
ret = gnutls_x509_crl_verify(crl, &ca, 1, crl_list[i].verify_flags,
&verify_status);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_list_verify[%d]: %s\n",
(int) i, gnutls_strerror(ret));
exit(1);
}
if (verify_status != crl_list[i].expected_verify_result) {
gnutls_datum_t out1, out2;
gnutls_certificate_verification_status_print
(verify_status, GNUTLS_CRT_X509, &out1, 0);
gnutls_certificate_verification_status_print(crl_list
[i].
expected_verify_result,
GNUTLS_CRT_X509,
&out2,
0);
fail("chain[%s]:\nverify_status: %d: %s\nexpected: %d: %s\n", crl_list[i].name, verify_status, out1.data, crl_list[i].expected_verify_result, out2.data);
gnutls_free(out1.data);
gnutls_free(out2.data);
if (!debug)
exit(1);
} else if (debug)
printf("done\n");
gnutls_x509_trust_list_init(&tl, 0);
ret =
gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0);
if (ret != 1) {
fail("gnutls_x509_trust_list_add_trust_mem\n");
exit(1);
}
/* make sure that the two functions don't diverge */
ret = gnutls_x509_trust_list_add_crls(tl, &crl, 1, GNUTLS_TL_VERIFY_CRL, crl_list[i].verify_flags);
if (crl_list[i].expected_verify_result == 0 && ret < 0) {
fprintf(stderr,
"gnutls_x509_trust_list_add_crls[%d]: %s\n",
(int) i, gnutls_strerror(ret));
exit(1);
}
if (crl_list[i].expected_verify_result != 0 && ret > 0) {
fprintf(stderr,
"gnutls_x509_trust_list_add_crls[%d]: succeeded when it shouldn't\n",
(int) i);
exit(1);
}
if (debug)
printf("\tCleanup...");
gnutls_x509_trust_list_deinit(tl, 0);
gnutls_x509_crt_deinit(ca);
gnutls_x509_crl_deinit(crl);
if (debug)
printf("done\n\n\n");
}
gnutls_global_deinit();
if (debug)
printf("Exit status...%d\n", exit_val);
exit(exit_val);
}
static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce,
gnutls_x509_crt_t signer)
{
gnutls_ocsp_resp_t resp;
int ret;
size_t size;
gnutls_x509_crt_t *x509_ca_list = NULL;
gnutls_x509_trust_list_t list;
unsigned int x509_ncas = 0;
unsigned verify;
gnutls_datum_t dat;
ret = gnutls_ocsp_resp_init(&resp);
if (ret < 0) {
fprintf(stderr, "ocsp_resp_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret = gnutls_ocsp_resp_import(resp, data);
if (ret < 0) {
fprintf(stderr, "importing response: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (nonce) {
gnutls_datum_t rnonce;
ret = gnutls_ocsp_resp_get_nonce(resp, NULL, &rnonce);
if (ret < 0) {
fprintf(stderr, "could not read response's nonce: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data,
nonce->size) != 0) {
fprintf(stderr, "nonce in the response doesn't match\n");
exit(1);
}
gnutls_free(rnonce.data);
}
if (HAVE_OPT(LOAD_TRUST)) {
dat.data =
(void *) read_binary_file(OPT_ARG(LOAD_TRUST), &size);
if (dat.data == NULL) {
fprintf(stderr, "reading --load-trust: %s\n",
OPT_ARG(LOAD_TRUST));
exit(1);
}
dat.size = size;
ret = gnutls_x509_trust_list_init(&list, 0);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_trust_list_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas,
&dat, GNUTLS_X509_FMT_PEM,
0);
if (ret < 0 || x509_ncas < 1) {
fprintf(stderr, "error parsing CAs: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (HAVE_OPT(VERBOSE)) {
unsigned int i;
printf("Trust anchors:\n");
for (i = 0; i < x509_ncas; i++) {
gnutls_datum_t out;
ret =
gnutls_x509_crt_print(x509_ca_list[i],
GNUTLS_CRT_PRINT_ONELINE,
&out);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_print: %s\n",
gnutls_strerror(ret));
exit(1);
}
printf("%d: %.*s\n", i, out.size,
out.data);
gnutls_free(out.data);
}
printf("\n");
}
ret =
gnutls_x509_trust_list_add_cas(list, x509_ca_list,
x509_ncas, 0);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_trust_add_cas: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (HAVE_OPT(VERBOSE))
fprintf(stdout, "Loaded %d trust anchors\n",
x509_ncas);
ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0);
if (ret < 0) {
fprintf(stderr, "gnutls_ocsp_resp_verify: %s\n",
gnutls_strerror(ret));
exit(1);
}
} else if (signer) {
if (HAVE_OPT(VERBOSE)) {
gnutls_datum_t out;
ret =
gnutls_x509_crt_print(signer,
GNUTLS_CRT_PRINT_ONELINE,
&out);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_print: %s\n",
gnutls_strerror(ret));
exit(1);
}
printf("Signer: %.*s\n", out.size, out.data);
gnutls_free(out.data);
printf("\n");
}
ret =
gnutls_ocsp_resp_verify_direct(resp, signer, &verify,
0);
if (ret < 0) {
fprintf(stderr,
"gnutls_ocsp_resp_verify_direct: %s\n",
gnutls_strerror(ret));
exit(1);
}
} else {
fprintf(stderr, "missing --load-trust or --load-signer\n");
exit(1);
}
printf("Verifying OCSP Response: ");
print_ocsp_verify_res(verify);
printf(".\n");
gnutls_ocsp_resp_deinit(resp);
return verify;
}
void
doit (void)
{
int ret;
gnutls_datum_t data;
gnutls_x509_crt_t server_crt, ca_crt;
gnutls_x509_trust_list_t tl;
unsigned int status;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_time_function (mytime);
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (6);
/* test for gnutls_certificate_get_issuer() */
gnutls_x509_trust_list_init(&tl, 0);
gnutls_x509_crt_init(&server_crt);
gnutls_x509_crt_init(&ca_crt);
ret = gnutls_x509_crt_import(server_crt, &cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import");
ret = gnutls_x509_crt_import(ca_crt, &ca, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import");
ret = gnutls_x509_trust_list_add_cas(tl, &ca_crt, 1, 0);
if (ret < 0)
fail("gnutls_x509_trust_list_add_cas");
ret = gnutls_x509_trust_list_add_named_crt(tl, server_crt, NAME, NAME_SIZE, 0);
if (ret < 0)
fail("gnutls_x509_trust_list_add_named_crt");
ret = gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0, &status, NULL);
if (ret < 0 || status != 0)
fail("gnutls_x509_trust_list_verify_crt\n");
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE, 0, &status, NULL);
if (ret < 0 || status != 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE-1, 0, &status, NULL);
if (ret < 0 || status == 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, "other", 5, 0, &status, NULL);
if (ret < 0 || status == 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
/* test convenience functions in verify-high2.c */
data.data = cert_pem;
data.size = strlen((char*)cert_pem);
ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_PEM, 0, 0);
if (ret < 1)
fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret));
data.data = cert_der;
data.size = sizeof(cert_der);
ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_DER, 0, 0);
if (ret < 1)
fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret));
gnutls_x509_trust_list_deinit(tl, 1);
gnutls_global_deinit();
if (debug) success("success");
}
static int
_verify_response (gnutls_datum_t *data)
{
gnutls_ocsp_resp_t resp;
int ret;
size_t size;
gnutls_x509_crt_t *x509_ca_list = NULL;
unsigned int x509_ncas = 0;
gnutls_x509_trust_list_t list;
gnutls_x509_crt_t signer;
unsigned verify;
gnutls_datum_t dat;
ret = gnutls_ocsp_resp_init (&resp);
if (ret < 0)
error (EXIT_FAILURE, 0, "ocsp_resp_init: %s", gnutls_strerror (ret));
ret = gnutls_ocsp_resp_import (resp, data);
if (ret < 0)
error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret));
if (HAVE_OPT(LOAD_TRUST))
{
dat.data = (void*)read_binary_file (OPT_ARG(LOAD_TRUST), &size);
if (dat.data == NULL)
error (EXIT_FAILURE, errno, "reading --load-trust: %s", OPT_ARG(LOAD_TRUST));
dat.size = size;
ret = gnutls_x509_trust_list_init (&list, 0);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_trust_list_init: %s",
gnutls_strerror (ret));
ret = gnutls_x509_crt_list_import2 (&x509_ca_list, &x509_ncas, &dat,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0 || x509_ncas < 1)
error (EXIT_FAILURE, 0, "error parsing CAs: %s",
gnutls_strerror (ret));
if (HAVE_OPT(VERBOSE))
{
unsigned int i;
printf ("Trust anchors:\n");
for (i = 0; i < x509_ncas; i++)
{
gnutls_datum_t out;
ret = gnutls_x509_crt_print (x509_ca_list[i],
GNUTLS_CRT_PRINT_ONELINE, &out);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s",
gnutls_strerror (ret));
printf ("%d: %.*s\n", i, out.size, out.data);
gnutls_free (out.data);
}
printf("\n");
}
ret = gnutls_x509_trust_list_add_cas (list, x509_ca_list, x509_ncas, 0);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_cas: %s",
gnutls_strerror (ret));
if (HAVE_OPT(VERBOSE))
fprintf (stdout, "Loaded %d trust anchors\n", x509_ncas);
ret = gnutls_ocsp_resp_verify (resp, list, &verify, 0);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s",
gnutls_strerror (ret));
}
else if (HAVE_OPT(LOAD_SIGNER))
{
ret = gnutls_x509_crt_init (&signer);
if (ret < 0)
error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
dat.data = (void*)read_binary_file (OPT_ARG(LOAD_SIGNER), &size);
if (dat.data == NULL)
error (EXIT_FAILURE, errno, "reading --load-signer: %s", OPT_ARG(LOAD_SIGNER));
dat.size = size;
ret = gnutls_x509_crt_import (signer, &dat, encoding);
free (dat.data);
if (ret < 0)
error (EXIT_FAILURE, 0, "importing --load-signer: %s: %s",
OPT_ARG(LOAD_SIGNER), gnutls_strerror (ret));
if (HAVE_OPT(VERBOSE))
{
gnutls_datum_t out;
ret = gnutls_x509_crt_print (signer, GNUTLS_CRT_PRINT_ONELINE, &out);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s",
gnutls_strerror (ret));
printf ("Signer: %.*s\n", out.size, out.data);
gnutls_free (out.data);
printf("\n");
}
ret = gnutls_ocsp_resp_verify_direct (resp, signer, &verify, 0);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify_direct: %s",
gnutls_strerror (ret));
}
else
error (EXIT_FAILURE, 0, "missing --load-trust or --load-signer");
printf ("Verifying OCSP Response: ");
print_ocsp_verify_res (verify);
printf (".\n");
gnutls_ocsp_resp_deinit (resp);
return verify;
}
void doit(void)
{
char buf[128];
int exit_val = 0;
int ret;
unsigned j;
const char *lib, *bin;
gnutls_x509_crt_t issuer = NULL;
gnutls_x509_trust_list_t tl;
gnutls_x509_crt_t certs[MAX_CHAIN];
gnutls_x509_crt_t end, ca;
unsigned verify_status = 0;
gnutls_datum_t tmp;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
bin = softhsm_bin();
lib = softhsm_lib();
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pkcs11_set_pin_function(pin_func, NULL);
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
set_softhsm_conf(CONFIG);
snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin);
system(buf);
ret = gnutls_pkcs11_add_provider(lib, "trusted");
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
for (j = 0; ca_list[j]; j++) {
if (debug > 2)
printf("\tAdding certificate %d...",
(int) j);
ret = gnutls_x509_crt_init(&certs[j]);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_init[%d,%d]: %s\n",
(int) 3, (int) j,
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) ca_list[j];
tmp.size = strlen(ca_list[j]);
ret =
gnutls_x509_crt_import(certs[j], &tmp,
GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf("done\n");
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_import[%d]: %s\n",
(int) j,
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(certs[j],
GNUTLS_CRT_PRINT_ONELINE,
&tmp);
if (debug)
printf("\tCertificate %d: %.*s\n", (int) j,
tmp.size, tmp.data);
gnutls_free(tmp.data);
}
if (debug > 2)
printf("\tAdding end certificate...");
ret = gnutls_x509_crt_init(&end);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) v1_root_check[0];
tmp.size = strlen(v1_root_check[0]);
ret =
gnutls_x509_crt_import(end, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tEnd Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
ret = gnutls_x509_crt_init(&ca);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) v1_root_check[1];
tmp.size = strlen(v1_root_check[1]);
ret =
gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tCA Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
if (debug > 2)
printf("done\n");
if (debug)
printf("\tChecking presence and verification...");
/* initialize softhsm token */
ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
if (ret < 0) {
fail("gnutls_pkcs11_token_init\n");
exit(1);
}
/* write CA certificate to softhsm */
for (j = 0; ca_list[j]; j++) {
char name[64];
snprintf(name, sizeof(name), "test-ca%d", j);
ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO);
if (ret < 0) {
fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
exit(1);
}
}
gnutls_x509_trust_list_init(&tl, 0);
ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_trust_file\n");
exit(1);
}
ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_cas\n");
exit(1);
}
/* extract the issuer of the certificate */
ret = gnutls_x509_trust_list_get_issuer(tl, end, &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0) {
fail("gnutls_x509_trust_list_get_issuer should have succeeded\n");
exit(1);
}
gnutls_x509_crt_deinit(issuer);
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, ca, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret != 0) {
fail("gnutls_pkcs11_crt_is_known should have failed!\n");
exit(1);
}
ret = gnutls_x509_trust_list_verify_crt2(tl, &end, 1,
NULL, 0,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, &verify_status, NULL);
if (ret < 0) {
fail("gnutls_x509_trust_list_verify_crt2 should have succeeded\n");
exit(1);
}
if (verify_status != 0) {
fail("verification should have succeeded: %.2x\n", verify_status);
exit(1);
}
if (debug)
printf("\tCleanup...");
gnutls_x509_trust_list_deinit(tl, 0);
gnutls_x509_crt_deinit(ca);
gnutls_x509_crt_deinit(end);
for (j = 0; ca_list[j]; j++) {
gnutls_x509_crt_deinit(certs[j]);
}
if (debug)
printf("done\n\n\n");
gnutls_global_deinit();
if (debug)
printf("Exit status...%d\n", exit_val);
remove(CONFIG);
exit(exit_val);
}
