/** * gnutls_openpgp_crt_print: * @cert: The structure to be printed * @format: Indicate the format to use * @out: Newly allocated datum with (0) terminated string. * * This function will pretty print an OpenPGP certificate, suitable * for display to a human. * * The format should be (0) for future compatibility. * * The output @out needs to be deallocate using gnutls_free(). * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_crt_print(gnutls_openpgp_crt_t cert, gnutls_certificate_print_formats_t format, gnutls_datum_t * out) { gnutls_buffer_st str; int ret; _gnutls_buffer_init(&str); if (format == GNUTLS_CRT_PRINT_ONELINE) print_oneline(&str, cert); else if (format == GNUTLS_CRT_PRINT_COMPACT) { print_oneline(&str, cert); _gnutls_buffer_append_data(&str, "\n", 1); print_key_fingerprint(&str, cert); } else { _gnutls_buffer_append_str(&str, _ ("OpenPGP Certificate Information:\n")); print_cert(&str, cert); } _gnutls_buffer_append_data(&str, "\0", 1); ret = _gnutls_buffer_to_datum(&str, out); if (out->size > 0) out->size--; return ret; }
/** * gnutls_openpgp_crt_print: * @cert: The structure to be printed * @format: Indicate the format to use * @out: Newly allocated datum with zero terminated string. * * This function will pretty print an OpenPGP certificate, suitable * for display to a human. * * The format should be zero for future compatibility. * * The output @out needs to be deallocate using gnutls_free(). * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_crt_print (gnutls_openpgp_crt_t cert, gnutls_certificate_print_formats_t format, gnutls_datum_t * out) { gnutls_buffer_st str; _gnutls_buffer_init (&str); if (format == GNUTLS_CRT_PRINT_ONELINE) print_oneline (&str, cert); else { _gnutls_buffer_append_str (&str, _("OpenPGP Certificate Information:\n")); print_cert (&str, cert); } _gnutls_buffer_append_data (&str, "\0", 1); out->data = str.data; out->size = strlen (str.data); return 0; }
static void tests(void) { SecTrustRef trust; SecCertificateRef leaf, wwdr_intermediate; SecPolicyRef policy; isnt(wwdr_intermediate = SecCertificateCreateWithBytes(kCFAllocatorDefault, wwdr_intermediate_cert, sizeof(wwdr_intermediate_cert)), NULL, "create WWDR intermediate"); isnt(leaf = SecCertificateCreateWithBytes(kCFAllocatorDefault, codesigning_certificate, sizeof(codesigning_certificate)), NULL, "create leaf"); const void *vcerts[] = { leaf, wwdr_intermediate }; CFArrayRef certs = CFArrayCreate(kCFAllocatorDefault, vcerts, 2, NULL); isnt(policy = SecPolicyCreateiPhoneProfileApplicationSigning(), NULL, "create iPhoneProfileApplicationSigning policy instance"); ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust for leaf"); CFDateRef verifyDate = CFDateCreate(kCFAllocatorDefault, 228244066); ok_status(SecTrustSetVerifyDate(trust, verifyDate), "set verify date"); CFReleaseNull(verifyDate); SecTrustResultType trustResult; CFArrayRef properties = NULL; properties = SecTrustCopyProperties(trust); is(properties, NULL, "no properties returned before eval"); CFReleaseNull(properties); ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified"); properties = SecTrustCopyProperties(trust); if (properties) { print_plist(properties); print_cert(leaf, true); print_cert(wwdr_intermediate, false); } CFReleaseNull(properties); CFReleaseNull(trust); CFReleaseNull(wwdr_intermediate); CFReleaseNull(leaf); CFReleaseNull(certs); CFReleaseNull(policy); CFReleaseNull(trust); }
/* * Get SSL/TLS certificate check it, maybe ask user about it and act * accordingly. */ int get_cert(session *ssn) { X509 *cert; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen; mdlen = 0; if (!(cert = SSL_get_peer_certificate(ssn->sslconn))) return -1; if (!(X509_digest(cert, EVP_md5(), md, &mdlen))) return -1; switch (check_cert(cert, md, &mdlen)) { case 0: if (isatty(STDIN_FILENO) == 0) fatal(ERROR_CERTIFICATE, "%s\n", "can't accept certificate in non-interactive mode"); print_cert(cert, md, &mdlen); if (write_cert(cert) == -1) goto fail; break; case -1: if (isatty(STDIN_FILENO) == 0) fatal(ERROR_CERTIFICATE, "%s\n", "certificate mismatch in non-interactive mode"); print_cert(cert, md, &mdlen); if (mismatch_cert() == -1) goto fail; break; } X509_free(cert); return 0; fail: X509_free(cert); return -1; }
/* * Get SSL/TLS certificate check it, maybe ask user about it and act * accordingly. */ int get_cert(session *ssn) { X509 *cert; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen; long verify; mdlen = 0; if (!(cert = SSL_get_peer_certificate(ssn->sslconn))) return -1; verify = SSL_get_verify_result(ssn->sslconn); if (!((verify == X509_V_OK) || (verify == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) || (verify == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY))) { error("certificate verification failed; %d\n", verify); goto fail; } if (verify != X509_V_OK) { if (!(X509_digest(cert, EVP_md5(), md, &mdlen))) return -1; switch (check_cert(cert, md, &mdlen)) { case 0: if (isatty(STDIN_FILENO) == 0) fatal(ERROR_CERTIFICATE, "%s\n", "can't accept certificate in " "non-interactive mode"); print_cert(cert, md, &mdlen); if (store_cert(cert) == -1) goto fail; break; case -1: error("certificate mismatch occured\n"); goto fail; } } X509_free(cert); return 0; fail: X509_free(cert); return -1; }
static void showPeerCerts( CFArrayRef peerCerts, bool verbose) { CFIndex numCerts; SecCertificateRef certRef; CFIndex i; if(peerCerts == NULL) { return; } numCerts = CFArrayGetCount(peerCerts); for(i=0; i<numCerts; i++) { certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i); printf("\n================== Server Cert %lu ===================\n\n", i); print_cert(certRef, verbose); printf("\n=============== End of Server Cert %lu ===============\n", i); } }
/* Asks user to verify certificate data before proceeding */ static VerifyStatus verify_trust(X509 *cert) { char vfy_trust = 'y'; VerifyStatus ret = Accept; PKG_ERR *err; UI *ui = NULL; err = pkgerr_new(); /* print cert data */ if (print_cert(err, cert, KEYSTORE_FORMAT_TEXT, get_subject_display_name(cert), B_TRUE, stdout) != 0) { log_pkgerr(LOG_MSG_ERR, err); ret = VerifyFailed; goto cleanup; } if ((ui = UI_new()) == NULL) { log_msg(LOG_MSG_ERR, MSG_MEM); ret = VerifyFailed; goto cleanup; } /* * The prompt is internationalized, but the valid * response values are fixed, to avoid any complex * multibyte processing that results in bugs */ if (UI_add_input_boolean(ui, MSG_VERIFY_TRUST, "", "yY", "nN", UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) { log_msg(LOG_MSG_ERR, MSG_MEM); ret = VerifyFailed; goto cleanup; } if (UI_process(ui) != 0) { log_msg(LOG_MSG_ERR, MSG_MEM); ret = VerifyFailed; goto cleanup; } if (vfy_trust != 'y') { ret = Reject; goto cleanup; } /* * if the cert does not appear to be a CA cert * r is not self-signed, verify that as well */ if (!is_ca_cert(cert)) { UI_free(ui); if ((ui = UI_new()) == NULL) { log_msg(LOG_MSG_ERR, MSG_MEM); ret = VerifyFailed; goto cleanup; } if (UI_add_input_boolean(ui, MSG_VERIFY_NOT_CA, "", "yY", "nN", UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) { ret = VerifyFailed; goto cleanup; } if (UI_process(ui) != 0) { log_msg(LOG_MSG_ERR, MSG_MEM); ret = VerifyFailed; goto cleanup; } if (vfy_trust != 'y') { ret = Reject; goto cleanup; } } cleanup: if (ui != NULL) UI_free(ui); if (err != NULL) pkgerr_free(err); return (ret); }