source-git / mingw-gnutls

Clone
Source Code
GIT

Blame doc/examples/ex-verify.c

c8 master
  1.   f6533347d87caea1b0e7da73f23a9ef464150ce5
  2.   doc
  3.   examples
  4.   ex-verify.c
Blob History Raw
Packit 549fdc 
/* This example code is placed in the public domain. */
Packit 549fdc
Packit 549fdc 
#ifdef HAVE_CONFIG_H
Packit 549fdc 
#include <config.h>
Packit 549fdc 
#endif
Packit 549fdc
Packit 549fdc 
#include <stdio.h>
Packit 549fdc 
#include <stdlib.h>
Packit 549fdc 
#include <string.h>
Packit 549fdc 
#include <assert.h>
Packit 549fdc 
#include <gnutls/gnutls.h>
Packit 549fdc 
#include <gnutls/x509.h>
Packit 549fdc
Packit 549fdc 
#include "examples.h"
Packit 549fdc
Packit 549fdc 
#define CHECK(x) assert((x)>=0)
Packit 549fdc
Packit 549fdc 
/* All the available CRLs
Packit 549fdc 
 */
Packit 549fdc 
gnutls_x509_crl_t *crl_list;
Packit 549fdc 
int crl_list_size;
Packit 549fdc
Packit 549fdc 
/* All the available trusted CAs
Packit 549fdc 
 */
Packit 549fdc 
gnutls_x509_crt_t *ca_list;
Packit 549fdc 
int ca_list_size;
Packit 549fdc
Packit 549fdc 
static int print_details_func(gnutls_x509_crt_t cert,
Packit 549fdc 
                              gnutls_x509_crt_t issuer,
Packit 549fdc 
                              gnutls_x509_crl_t crl,
Packit 549fdc 
                              unsigned int verification_output);
Packit 549fdc
Packit 549fdc 
/* This function will try to verify the peer's certificate chain, and
Packit 549fdc 
 * also check if the hostname matches.
Packit 549fdc 
 */
Packit 549fdc 
void
Packit 549fdc 
verify_certificate_chain(const char *hostname,
Packit 549fdc 
                         const gnutls_datum_t * cert_chain,
Packit 549fdc 
                         int cert_chain_length)
Packit 549fdc 
{
Packit 549fdc 
        int i;
Packit 549fdc 
        gnutls_x509_trust_list_t tlist;
Packit 549fdc 
        gnutls_x509_crt_t *cert;
Packit 549fdc 
        gnutls_datum_t txt;
Packit 549fdc 
        unsigned int output;
Packit 549fdc
Packit 549fdc 
        /* Initialize the trusted certificate list. This should be done
Packit 549fdc 
         * once on initialization. gnutls_x509_crt_list_import2() and
Packit 549fdc 
         * gnutls_x509_crl_list_import2() can be used to load them.
Packit 549fdc 
         */
Packit 549fdc 
        CHECK(gnutls_x509_trust_list_init(&tlist, 0));
Packit 549fdc
Packit 549fdc 
        CHECK(gnutls_x509_trust_list_add_cas(tlist, ca_list, ca_list_size, 0));
Packit 549fdc 
        CHECK(gnutls_x509_trust_list_add_crls(tlist, crl_list, crl_list_size,
Packit 549fdc 
                                              GNUTLS_TL_VERIFY_CRL, 0));
Packit 549fdc
Packit 549fdc 
        cert = malloc(sizeof(*cert) * cert_chain_length);
Packit 549fdc
Packit 549fdc 
        /* Import all the certificates in the chain to
Packit 549fdc 
         * native certificate format.
Packit 549fdc 
         */
Packit 549fdc 
        for (i = 0; i < cert_chain_length; i++) {
Packit 549fdc 
                CHECK(gnutls_x509_crt_init(&cert[i]));
Packit 549fdc 
                CHECK(gnutls_x509_crt_import(cert[i], &cert_chain[i],
Packit 549fdc 
                                             GNUTLS_X509_FMT_DER));
Packit 549fdc 
        }
Packit 549fdc
Packit 549fdc 
        CHECK(gnutls_x509_trust_list_verify_named_crt(tlist, cert[0],
Packit 549fdc 
                                                hostname,
Packit 549fdc 
                                                strlen(hostname),
Packit 549fdc 
                                                GNUTLS_VERIFY_DISABLE_CRL_CHECKS,
Packit 549fdc 
                                                &output,
Packit 549fdc 
                                                print_details_func));
Packit 549fdc
Packit 549fdc 
        /* if this certificate is not explicitly trusted verify against CAs
Packit 549fdc 
         */
Packit 549fdc 
        if (output != 0) {
Packit 549fdc 
                CHECK(gnutls_x509_trust_list_verify_crt(tlist, cert,
Packit 549fdc 
                                                  cert_chain_length, 0,
Packit 549fdc 
                                                  &output,
Packit 549fdc 
                                                  print_details_func));
Packit 549fdc 
        }
Packit 549fdc
Packit 549fdc
Packit 549fdc
Packit 549fdc 
        if (output & GNUTLS_CERT_INVALID) {
Packit 549fdc 
                fprintf(stderr, "Not trusted\n");
Packit 549fdc 
                CHECK(gnutls_certificate_verification_status_print(
Packit 549fdc 
                                                     output,
Packit 549fdc 
                                                     GNUTLS_CRT_X509,
Packit 549fdc 
                                                     &txt, 0));
Packit 549fdc
Packit 549fdc 
                fprintf(stderr, "Error: %s\n", txt.data);
Packit 549fdc 
                gnutls_free(txt.data);
Packit 549fdc 
        } else
Packit 549fdc 
                fprintf(stderr, "Trusted\n");
Packit 549fdc
Packit 549fdc 
        /* Check if the name in the first certificate matches our destination!
Packit 549fdc 
         */
Packit 549fdc 
        if (!gnutls_x509_crt_check_hostname(cert[0], hostname)) {
Packit 549fdc 
                printf
Packit 549fdc 
                    ("The certificate's owner does not match hostname '%s'\n",
Packit 549fdc 
                     hostname);
Packit 549fdc 
        }
Packit 549fdc
Packit 549fdc 
        gnutls_x509_trust_list_deinit(tlist, 1);
Packit 549fdc
Packit 549fdc 
        return;
Packit 549fdc 
}
Packit 549fdc
Packit 549fdc 
static int
Packit 549fdc 
print_details_func(gnutls_x509_crt_t cert,
Packit 549fdc 
                   gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl,
Packit 549fdc 
                   unsigned int verification_output)
Packit 549fdc 
{
Packit 549fdc 
        char name[512];
Packit 549fdc 
        char issuer_name[512];
Packit 549fdc 
        size_t name_size;
Packit 549fdc 
        size_t issuer_name_size;
Packit 549fdc
Packit 549fdc 
        issuer_name_size = sizeof(issuer_name);
Packit 549fdc 
        gnutls_x509_crt_get_issuer_dn(cert, issuer_name,
Packit 549fdc 
                                      &issuer_name_size);
Packit 549fdc
Packit 549fdc 
        name_size = sizeof(name);
Packit 549fdc 
        gnutls_x509_crt_get_dn(cert, name, &name_size);
Packit 549fdc
Packit 549fdc 
        fprintf(stdout, "\tSubject: %s\n", name);
Packit 549fdc 
        fprintf(stdout, "\tIssuer: %s\n", issuer_name);
Packit 549fdc
Packit 549fdc 
        if (issuer != NULL) {
Packit 549fdc 
                issuer_name_size = sizeof(issuer_name);
Packit 549fdc 
                gnutls_x509_crt_get_dn(issuer, issuer_name,
Packit 549fdc 
                                       &issuer_name_size);
Packit 549fdc
Packit 549fdc 
                fprintf(stdout, "\tVerified against: %s\n", issuer_name);
Packit 549fdc 
        }
Packit 549fdc
Packit 549fdc 
        if (crl != NULL) {
Packit 549fdc 
                issuer_name_size = sizeof(issuer_name);
Packit 549fdc 
                gnutls_x509_crl_get_issuer_dn(crl, issuer_name,
Packit 549fdc 
                                              &issuer_name_size);
Packit 549fdc
Packit 549fdc 
                fprintf(stdout, "\tVerified against CRL of: %s\n",
Packit 549fdc 
                        issuer_name);
Packit 549fdc 
        }
Packit 549fdc
Packit 549fdc 
        fprintf(stdout, "\tVerification output: %x\n\n",
Packit 549fdc 
                verification_output);
Packit 549fdc
Packit 549fdc 
        return 0;
Packit 549fdc 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation