/** * gnutls_x509_trust_list_add_trust_mem: * @list: The list * @cas: A buffer containing a list of CAs (optional) * @crls: A buffer containing a list of CRLs (optional) * @type: The format of the certificates * @tl_flags: flags from %gnutls_trust_list_flags_t * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL * * This function will add the given certificate authorities * to the trusted list. * * Returns: The number of added elements is returned. * * Since: 3.1 **/ int gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list, const gnutls_datum_t * cas, const gnutls_datum_t * crls, gnutls_x509_crt_fmt_t type, unsigned int tl_flags, unsigned int tl_vflags) { int ret; gnutls_x509_crt_t *x509_ca_list = NULL; gnutls_x509_crl_t *x509_crl_list = NULL; unsigned int x509_ncas, x509_ncrls; unsigned int r = 0; if (cas != NULL && cas->data != NULL) { ret = gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas, cas, type, 0); if (ret < 0) return gnutls_assert_val(ret); ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, tl_flags); gnutls_free(x509_ca_list); if (ret < 0) return gnutls_assert_val(ret); else r += ret; } if (crls != NULL && crls->data != NULL) { ret = gnutls_x509_crl_list_import2(&x509_crl_list, &x509_ncrls, crls, type, 0); if (ret < 0) return gnutls_assert_val(ret); ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, x509_ncrls, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags); gnutls_free(x509_crl_list); if (ret < 0) return gnutls_assert_val(ret); else r += ret; } return r; }
/* This function does add a PKCS #11 object URL into trust list. The * CA certificates are imported directly, rather than using it as a * trusted PKCS#11 token. */ static int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *url, unsigned flags) { gnutls_x509_crt_t *xcrt_list = NULL; gnutls_pkcs11_obj_t *pcrt_list = NULL; unsigned int pcrt_list_size = 0, i; int ret; ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, url, GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, 0); if (ret < 0) return gnutls_assert_val(ret); if (pcrt_list_size == 0) { ret = 0; goto cleanup; } xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size); if (xcrt_list == NULL) { ret = GNUTLS_E_MEMORY_ERROR; goto cleanup; } ret = gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size, pcrt_list, 0); if (ret < 0) { gnutls_assert(); goto cleanup; } ret = gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size, flags); cleanup: for (i = 0; i < pcrt_list_size; i++) gnutls_pkcs11_obj_deinit(pcrt_list[i]); gnutls_free(pcrt_list); gnutls_free(xcrt_list); return ret; }
/** * gnutls_certificate_set_x509_trust: * @res: is a #gnutls_certificate_credentials_t type. * @ca_list: is a list of trusted CAs * @ca_list_size: holds the size of the CA list * * This function adds the trusted CAs in order to verify client * or server certificates. In case of a client this is not required * to be called if the certificates are not verified using * gnutls_certificate_verify_peers2(). * This function may be called multiple times. * * In case of a server the CAs set here will be sent to the client if * a certificate request is sent. This can be disabled using * gnutls_certificate_send_x509_rdn_sequence(). * * Returns: the number of certificates processed or a negative error code * on error. * * Since: 2.4.0 **/ int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, gnutls_x509_crt_t * ca_list, int ca_list_size) { int ret, i, j; gnutls_x509_crt_t *new_list = gnutls_malloc(ca_list_size * sizeof(gnutls_x509_crt_t)); if (!new_list) return GNUTLS_E_MEMORY_ERROR; for (i = 0; i < ca_list_size; i++) { ret = gnutls_x509_crt_init(&new_list[i]); if (ret < 0) { gnutls_assert(); goto cleanup; } ret = _gnutls_x509_crt_cpy(new_list[i], ca_list[i]); if (ret < 0) { gnutls_assert(); goto cleanup; } } ret = gnutls_x509_trust_list_add_cas(res->tlist, new_list, ca_list_size, GNUTLS_TL_USE_IN_TLS); if (ret < 0) { gnutls_assert(); goto cleanup; } gnutls_free(new_list); return ret; cleanup: for (j = 0; j < i; j++) gnutls_x509_crt_deinit(new_list[j]); gnutls_free(new_list); return ret; }
/* This function will try to verify the peer's certificate chain, and * also check if the hostname matches. */ void verify_certificate_chain(const char *hostname, const gnutls_datum_t * cert_chain, int cert_chain_length) { int i; gnutls_x509_trust_list_t tlist; gnutls_x509_crt_t *cert; unsigned int output; /* Initialize the trusted certificate list. This should be done * once on initialization. gnutls_x509_crt_list_import2() and * gnutls_x509_crl_list_import2() can be used to load them. */ gnutls_x509_trust_list_init(&tlist, 0); gnutls_x509_trust_list_add_cas(tlist, ca_list, ca_list_size, 0); gnutls_x509_trust_list_add_crls(tlist, crl_list, crl_list_size, GNUTLS_TL_VERIFY_CRL, 0); cert = malloc(sizeof(*cert) * cert_chain_length); /* Import all the certificates in the chain to * native certificate format. */ for (i = 0; i < cert_chain_length; i++) { gnutls_x509_crt_init(&cert[i]); gnutls_x509_crt_import(cert[i], &cert_chain[i], GNUTLS_X509_FMT_DER); } gnutls_x509_trust_list_verify_named_crt(tlist, cert[0], hostname, strlen(hostname), GNUTLS_VERIFY_DISABLE_CRL_CHECKS, &output, print_details_func); /* if this certificate is not explicitly trusted verify against CAs */ if (output != 0) { gnutls_x509_trust_list_verify_crt(tlist, cert, cert_chain_length, 0, &output, print_details_func); } if (output & GNUTLS_CERT_INVALID) { fprintf(stderr, "Not trusted"); if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) fprintf(stderr, ": no issuer was found"); if (output & GNUTLS_CERT_SIGNER_NOT_CA) fprintf(stderr, ": issuer is not a CA"); if (output & GNUTLS_CERT_NOT_ACTIVATED) fprintf(stderr, ": not yet activated\n"); if (output & GNUTLS_CERT_EXPIRED) fprintf(stderr, ": expired\n"); fprintf(stderr, "\n"); } else fprintf(stderr, "Trusted\n"); /* Check if the name in the first certificate matches our destination! */ if (!gnutls_x509_crt_check_hostname(cert[0], hostname)) { printf ("The certificate's owner does not match hostname '%s'\n", hostname); } gnutls_x509_trust_list_deinit(tlist, 1); return; }
void doit(void) { int exit_val = 0; size_t i; int ret; gnutls_x509_trust_list_t tl; unsigned int verify_status; gnutls_x509_crl_t crl; gnutls_x509_crt_t ca; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); for (i = 0; crl_list[i].name; i++) { if (debug) printf("Chain '%s' (%d)...\n", crl_list[i].name, (int) i); if (debug > 2) printf("\tAdding CRL..."); ret = gnutls_x509_crl_init(&crl); if (ret < 0) { fprintf(stderr, "gnutls_x509_crl_init[%d]: %s\n", (int) i, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) *crl_list[i].crl; tmp.size = strlen(*crl_list[i].crl); ret = gnutls_x509_crl_import(crl, &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crl_import[%s]: %s\n", crl_list[i].name, gnutls_strerror(ret)); exit(1); } gnutls_x509_crl_print(crl, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCRL: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug > 2) printf("\tAdding CA certificate..."); ret = gnutls_x509_crt_init(&ca); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) *crl_list[i].ca; tmp.size = strlen(*crl_list[i].ca); ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } if (debug > 2) printf("done\n"); gnutls_x509_crt_print(ca, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug) printf("\tVerifying..."); ret = gnutls_x509_crl_verify(crl, &ca, 1, crl_list[i].verify_flags, &verify_status); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_list_verify[%d]: %s\n", (int) i, gnutls_strerror(ret)); exit(1); } if (verify_status != crl_list[i].expected_verify_result) { gnutls_datum_t out1, out2; gnutls_certificate_verification_status_print (verify_status, GNUTLS_CRT_X509, &out1, 0); gnutls_certificate_verification_status_print(crl_list [i]. expected_verify_result, GNUTLS_CRT_X509, &out2, 0); fail("chain[%s]:\nverify_status: %d: %s\nexpected: %d: %s\n", crl_list[i].name, verify_status, out1.data, crl_list[i].expected_verify_result, out2.data); gnutls_free(out1.data); gnutls_free(out2.data); if (!debug) exit(1); } else if (debug) printf("done\n"); gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0); if (ret != 1) { fail("gnutls_x509_trust_list_add_trust_mem\n"); exit(1); } /* make sure that the two functions don't diverge */ ret = gnutls_x509_trust_list_add_crls(tl, &crl, 1, GNUTLS_TL_VERIFY_CRL, crl_list[i].verify_flags); if (crl_list[i].expected_verify_result == 0 && ret < 0) { fprintf(stderr, "gnutls_x509_trust_list_add_crls[%d]: %s\n", (int) i, gnutls_strerror(ret)); exit(1); } if (crl_list[i].expected_verify_result != 0 && ret > 0) { fprintf(stderr, "gnutls_x509_trust_list_add_crls[%d]: succeeded when it shouldn't\n", (int) i); exit(1); } if (debug) printf("\tCleanup..."); gnutls_x509_trust_list_deinit(tl, 0); gnutls_x509_crt_deinit(ca); gnutls_x509_crl_deinit(crl); if (debug) printf("done\n\n\n"); } gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); exit(exit_val); }
static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce, gnutls_x509_crt_t signer) { gnutls_ocsp_resp_t resp; int ret; size_t size; gnutls_x509_crt_t *x509_ca_list = NULL; gnutls_x509_trust_list_t list; unsigned int x509_ncas = 0; unsigned verify; gnutls_datum_t dat; ret = gnutls_ocsp_resp_init(&resp); if (ret < 0) { fprintf(stderr, "ocsp_resp_init: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_ocsp_resp_import(resp, data); if (ret < 0) { fprintf(stderr, "importing response: %s\n", gnutls_strerror(ret)); exit(1); } if (nonce) { gnutls_datum_t rnonce; ret = gnutls_ocsp_resp_get_nonce(resp, NULL, &rnonce); if (ret < 0) { fprintf(stderr, "could not read response's nonce: %s\n", gnutls_strerror(ret)); exit(1); } if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data, nonce->size) != 0) { fprintf(stderr, "nonce in the response doesn't match\n"); exit(1); } gnutls_free(rnonce.data); } if (HAVE_OPT(LOAD_TRUST)) { dat.data = (void *) read_binary_file(OPT_ARG(LOAD_TRUST), &size); if (dat.data == NULL) { fprintf(stderr, "reading --load-trust: %s\n", OPT_ARG(LOAD_TRUST)); exit(1); } dat.size = size; ret = gnutls_x509_trust_list_init(&list, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_trust_list_init: %s\n", gnutls_strerror(ret)); exit(1); } ret = gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas, &dat, GNUTLS_X509_FMT_PEM, 0); if (ret < 0 || x509_ncas < 1) { fprintf(stderr, "error parsing CAs: %s\n", gnutls_strerror(ret)); exit(1); } if (HAVE_OPT(VERBOSE)) { unsigned int i; printf("Trust anchors:\n"); for (i = 0; i < x509_ncas; i++) { gnutls_datum_t out; ret = gnutls_x509_crt_print(x509_ca_list[i], GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_print: %s\n", gnutls_strerror(ret)); exit(1); } printf("%d: %.*s\n", i, out.size, out.data); gnutls_free(out.data); } printf("\n"); } ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas, 0); if (ret < 0) { fprintf(stderr, "gnutls_x509_trust_add_cas: %s\n", gnutls_strerror(ret)); exit(1); } if (HAVE_OPT(VERBOSE)) fprintf(stdout, "Loaded %d trust anchors\n", x509_ncas); ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0); if (ret < 0) { fprintf(stderr, "gnutls_ocsp_resp_verify: %s\n", gnutls_strerror(ret)); exit(1); } } else if (signer) { if (HAVE_OPT(VERBOSE)) { gnutls_datum_t out; ret = gnutls_x509_crt_print(signer, GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_print: %s\n", gnutls_strerror(ret)); exit(1); } printf("Signer: %.*s\n", out.size, out.data); gnutls_free(out.data); printf("\n"); } ret = gnutls_ocsp_resp_verify_direct(resp, signer, &verify, 0); if (ret < 0) { fprintf(stderr, "gnutls_ocsp_resp_verify_direct: %s\n", gnutls_strerror(ret)); exit(1); } } else { fprintf(stderr, "missing --load-trust or --load-signer\n"); exit(1); } printf("Verifying OCSP Response: "); print_ocsp_verify_res(verify); printf(".\n"); gnutls_ocsp_resp_deinit(resp); return verify; }
void doit (void) { int ret; gnutls_datum_t data; gnutls_x509_crt_t server_crt, ca_crt; gnutls_x509_trust_list_t tl; unsigned int status; /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_time_function (mytime); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (6); /* test for gnutls_certificate_get_issuer() */ gnutls_x509_trust_list_init(&tl, 0); gnutls_x509_crt_init(&server_crt); gnutls_x509_crt_init(&ca_crt); ret = gnutls_x509_crt_import(server_crt, &cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("gnutls_x509_crt_import"); ret = gnutls_x509_crt_import(ca_crt, &ca, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("gnutls_x509_crt_import"); ret = gnutls_x509_trust_list_add_cas(tl, &ca_crt, 1, 0); if (ret < 0) fail("gnutls_x509_trust_list_add_cas"); ret = gnutls_x509_trust_list_add_named_crt(tl, server_crt, NAME, NAME_SIZE, 0); if (ret < 0) fail("gnutls_x509_trust_list_add_named_crt"); ret = gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0, &status, NULL); if (ret < 0 || status != 0) fail("gnutls_x509_trust_list_verify_crt\n"); ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE, 0, &status, NULL); if (ret < 0 || status != 0) fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__); ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE-1, 0, &status, NULL); if (ret < 0 || status == 0) fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__); ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, "other", 5, 0, &status, NULL); if (ret < 0 || status == 0) fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__); /* test convenience functions in verify-high2.c */ data.data = cert_pem; data.size = strlen((char*)cert_pem); ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_PEM, 0, 0); if (ret < 1) fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret)); data.data = cert_der; data.size = sizeof(cert_der); ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_DER, 0, 0); if (ret < 1) fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret)); gnutls_x509_trust_list_deinit(tl, 1); gnutls_global_deinit(); if (debug) success("success"); }
static int _verify_response (gnutls_datum_t *data) { gnutls_ocsp_resp_t resp; int ret; size_t size; gnutls_x509_crt_t *x509_ca_list = NULL; unsigned int x509_ncas = 0; gnutls_x509_trust_list_t list; gnutls_x509_crt_t signer; unsigned verify; gnutls_datum_t dat; ret = gnutls_ocsp_resp_init (&resp); if (ret < 0) error (EXIT_FAILURE, 0, "ocsp_resp_init: %s", gnutls_strerror (ret)); ret = gnutls_ocsp_resp_import (resp, data); if (ret < 0) error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret)); if (HAVE_OPT(LOAD_TRUST)) { dat.data = (void*)read_binary_file (OPT_ARG(LOAD_TRUST), &size); if (dat.data == NULL) error (EXIT_FAILURE, errno, "reading --load-trust: %s", OPT_ARG(LOAD_TRUST)); dat.size = size; ret = gnutls_x509_trust_list_init (&list, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_trust_list_init: %s", gnutls_strerror (ret)); ret = gnutls_x509_crt_list_import2 (&x509_ca_list, &x509_ncas, &dat, GNUTLS_X509_FMT_PEM, 0); if (ret < 0 || x509_ncas < 1) error (EXIT_FAILURE, 0, "error parsing CAs: %s", gnutls_strerror (ret)); if (HAVE_OPT(VERBOSE)) { unsigned int i; printf ("Trust anchors:\n"); for (i = 0; i < x509_ncas; i++) { gnutls_datum_t out; ret = gnutls_x509_crt_print (x509_ca_list[i], GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s", gnutls_strerror (ret)); printf ("%d: %.*s\n", i, out.size, out.data); gnutls_free (out.data); } printf("\n"); } ret = gnutls_x509_trust_list_add_cas (list, x509_ca_list, x509_ncas, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_cas: %s", gnutls_strerror (ret)); if (HAVE_OPT(VERBOSE)) fprintf (stdout, "Loaded %d trust anchors\n", x509_ncas); ret = gnutls_ocsp_resp_verify (resp, list, &verify, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s", gnutls_strerror (ret)); } else if (HAVE_OPT(LOAD_SIGNER)) { ret = gnutls_x509_crt_init (&signer); if (ret < 0) error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret)); dat.data = (void*)read_binary_file (OPT_ARG(LOAD_SIGNER), &size); if (dat.data == NULL) error (EXIT_FAILURE, errno, "reading --load-signer: %s", OPT_ARG(LOAD_SIGNER)); dat.size = size; ret = gnutls_x509_crt_import (signer, &dat, encoding); free (dat.data); if (ret < 0) error (EXIT_FAILURE, 0, "importing --load-signer: %s: %s", OPT_ARG(LOAD_SIGNER), gnutls_strerror (ret)); if (HAVE_OPT(VERBOSE)) { gnutls_datum_t out; ret = gnutls_x509_crt_print (signer, GNUTLS_CRT_PRINT_ONELINE, &out); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s", gnutls_strerror (ret)); printf ("Signer: %.*s\n", out.size, out.data); gnutls_free (out.data); printf("\n"); } ret = gnutls_ocsp_resp_verify_direct (resp, signer, &verify, 0); if (ret < 0) error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify_direct: %s", gnutls_strerror (ret)); } else error (EXIT_FAILURE, 0, "missing --load-trust or --load-signer"); printf ("Verifying OCSP Response: "); print_ocsp_verify_res (verify); printf (".\n"); gnutls_ocsp_resp_deinit (resp); return verify; }
void doit(void) { char buf[128]; int exit_val = 0; int ret; unsigned j; const char *lib, *bin; gnutls_x509_crt_t issuer = NULL; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t certs[MAX_CHAIN]; gnutls_x509_crt_t end, ca; unsigned verify_status = 0; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, "trusted"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } for (j = 0; ca_list[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init(&certs[j]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init[%d,%d]: %s\n", (int) 3, (int) j, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) ca_list[j]; tmp.size = strlen(ca_list[j]); ret = gnutls_x509_crt_import(certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import[%d]: %s\n", (int) j, gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free(tmp.data); } if (debug > 2) printf("\tAdding end certificate..."); ret = gnutls_x509_crt_init(&end); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) v1_root_check[0]; tmp.size = strlen(v1_root_check[0]); ret = gnutls_x509_crt_import(end, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tEnd Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); ret = gnutls_x509_crt_init(&ca); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) v1_root_check[1]; tmp.size = strlen(v1_root_check[1]); ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug > 2) printf("done\n"); if (debug) printf("\tChecking presence and verification..."); /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init\n"); exit(1); } /* write CA certificate to softhsm */ for (j = 0; ca_list[j]; j++) { char name[64]; snprintf(name, sizeof(name), "test-ca%d", j); ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); exit(1); } } gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_trust_file\n"); exit(1); } ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_cas\n"); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, end, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, ca, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret != 0) { fail("gnutls_pkcs11_crt_is_known should have failed!\n"); exit(1); } ret = gnutls_x509_trust_list_verify_crt2(tl, &end, 1, NULL, 0, GNUTLS_VERIFY_DISABLE_TIME_CHECKS, &verify_status, NULL); if (ret < 0) { fail("gnutls_x509_trust_list_verify_crt2 should have succeeded\n"); exit(1); } if (verify_status != 0) { fail("verification should have succeeded: %.2x\n", verify_status); exit(1); } if (debug) printf("\tCleanup..."); gnutls_x509_trust_list_deinit(tl, 0); gnutls_x509_crt_deinit(ca); gnutls_x509_crt_deinit(end); for (j = 0; ca_list[j]; j++) { gnutls_x509_crt_deinit(certs[j]); } if (debug) printf("done\n\n\n"); gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); remove(CONFIG); exit(exit_val); }