1 /* This example code is placed in the public domain. */
10 #include <gnutls/gnutls.h>
11 #include <gnutls/x509.h>
14 /* This function will verify the peer's certificate, check
15 * if the hostname matches. In addition it will perform an
16 * SSH-style authentication, where ultimately trusted keys
17 * are only the keys that have been seen before.
20 _ssh_verify_certificate_callback (gnutls_session_t session
)
23 const gnutls_datum_t
*cert_list
;
24 unsigned int cert_list_size
;
30 hostname
= gnutls_session_get_ptr (session
);
32 /* This verification function uses the trusted CAs in the credentials
33 * structure. So you must have installed one or more CA certificates.
35 ret
= gnutls_certificate_verify_peers3 (session
, hostname
, &status
);
39 return GNUTLS_E_CERTIFICATE_ERROR
;
42 type
= gnutls_certificate_type_get (session
);
44 ret
= gnutls_certificate_verification_status_print( status
, type
, &out
, 0);
48 return GNUTLS_E_CERTIFICATE_ERROR
;
51 printf ("%s", out
.data
);
53 gnutls_free(out
.data
);
55 if (status
!= 0) /* Certificate is not trusted */
56 return GNUTLS_E_CERTIFICATE_ERROR
;
58 /* Do SSH verification */
59 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
60 if (cert_list
== NULL
)
62 printf ("No certificate was found!\n");
63 return GNUTLS_E_CERTIFICATE_ERROR
;
66 /* service may be obtained alternatively using getservbyport() */
67 ret
= gnutls_verify_stored_pubkey(NULL
, NULL
, hostname
, "https",
68 type
, &cert_list
[0], 0);
69 if (ret
== GNUTLS_E_NO_CERTIFICATE_FOUND
)
71 printf("Host %s is not known.", hostname
);
73 printf("Its certificate is valid for %s.\n", hostname
);
75 /* the certificate must be printed and user must be asked on
76 * whether it is trustworthy. --see gnutls_x509_crt_print() */
79 return GNUTLS_E_CERTIFICATE_ERROR
;
81 else if (ret
== GNUTLS_E_CERTIFICATE_KEY_MISMATCH
)
83 printf("Warning: host %s is known but has another key associated.", hostname
);
84 printf("It might be that the server has multiple keys, or you are under attack\n");
86 printf("Its certificate is valid for %s.\n", hostname
);
88 /* the certificate must be printed and user must be asked on
89 * whether it is trustworthy. --see gnutls_x509_crt_print() */
92 return GNUTLS_E_CERTIFICATE_ERROR
;
96 printf("gnutls_verify_stored_pubkey: %s\n", gnutls_strerror(ret
));
100 /* user trusts the key -> store it */
103 ret
= gnutls_store_pubkey(NULL
, NULL
, hostname
, "https",
104 type
, &cert_list
[0], 0, 0);
106 printf("gnutls_store_pubkey: %s\n", gnutls_strerror(ret
));
109 /* notify gnutls to continue handshake normally */