doc/examples/ex-verify.c

   1 /* This example code is placed in the public domain. */
   2
   3 #ifdef HAVE_CONFIG_H
   4 #include <config.h>
   5 #endif
   6
   7 #include <stdio.h>
   8 #include <stdlib.h>
   9 #include <string.h>
  10 #include <gnutls/gnutls.h>
  11 #include <gnutls/x509.h>
  12
  13 #include "examples.h"
  14
  15 /* All the available CRLs
  16  */
  17 gnutls_x509_crl_t *crl_list;
  18 int crl_list_size;
  19
  20 /* All the available trusted CAs
  21  */
  22 gnutls_x509_crt_t *ca_list;
  23 int ca_list_size;
  24
  25 static int print_details_func (gnutls_x509_crt_t cert,
  26                                gnutls_x509_crt_t issuer,
  27                                gnutls_x509_crl_t crl,
  28                                unsigned int verification_output);
  29
  30 /* This function will try to verify the peer's certificate chain, and
  31  * also check if the hostname matches.
  32  */
  33 void
  34 verify_certificate_chain (const char *hostname,
  35                           const gnutls_datum_t * cert_chain,
  36                           int cert_chain_length)
  37 {
  38   int i;
  39   gnutls_x509_trust_list_t tlist;
  40   gnutls_x509_crt_t *cert;
  41
  42   unsigned int output;
  43
  44   /* Initialize the trusted certificate list. This should be done
  45    * once on initialization. gnutls_x509_crt_list_import2() and
  46    * gnutls_x509_crl_list_import2() can be used to load them.
  47    */
  48   gnutls_x509_trust_list_init (&tlist, 0);
  49
  50   gnutls_x509_trust_list_add_cas (tlist, ca_list, ca_list_size, 0);
  51   gnutls_x509_trust_list_add_crls (tlist, crl_list, crl_list_size,
  52                                    GNUTLS_TL_VERIFY_CRL, 0);
  53
  54   cert = malloc (sizeof (*cert) * cert_chain_length);
  55
  56   /* Import all the certificates in the chain to
  57    * native certificate format.
  58    */
  59   for (i = 0; i < cert_chain_length; i++)
  60     {
  61       gnutls_x509_crt_init (&cert[i]);
  62       gnutls_x509_crt_import (cert[i], &cert_chain[i], GNUTLS_X509_FMT_DER);
  63     }
  64
  65   gnutls_x509_trust_list_verify_named_crt (tlist, cert[0], hostname,
  66                                            strlen (hostname),
  67                                            GNUTLS_VERIFY_DISABLE_CRL_CHECKS,
  68                                            &output, print_details_func);
  69
  70   /* if this certificate is not explicitly trusted verify against CAs
  71    */
  72   if (output != 0)
  73     {
  74       gnutls_x509_trust_list_verify_crt (tlist, cert, cert_chain_length, 0,
  75                                          &output, print_details_func);
  76     }
  77
  78   if (output & GNUTLS_CERT_INVALID)
  79     {
  80       fprintf (stderr, "Not trusted");
  81
  82       if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
  83         fprintf (stderr, ": no issuer was found");
  84       if (output & GNUTLS_CERT_SIGNER_NOT_CA)
  85         fprintf (stderr, ": issuer is not a CA");
  86       if (output & GNUTLS_CERT_NOT_ACTIVATED)
  87         fprintf (stderr, ": not yet activated\n");
  88       if (output & GNUTLS_CERT_EXPIRED)
  89         fprintf (stderr, ": expired\n");
  90
  91       fprintf (stderr, "\n");
  92     }
  93   else
  94     fprintf (stderr, "Trusted\n");
  95
  96   /* Check if the name in the first certificate matches our destination!
  97    */
  98   if (!gnutls_x509_crt_check_hostname (cert[0], hostname))
  99     {
 100       printf ("The certificate's owner does not match hostname '%s'\n",
 101               hostname);
 102     }
 103
 104   gnutls_x509_trust_list_deinit (tlist, 1);
 105
 106   return;
 107 }
 108
 109 static int
 110 print_details_func (gnutls_x509_crt_t cert,
 111                     gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl,
 112                     unsigned int verification_output)
 113 {
 114   char name[512];
 115   char issuer_name[512];
 116   size_t name_size;
 117   size_t issuer_name_size;
 118
 119   issuer_name_size = sizeof (issuer_name);
 120   gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size);
 121
 122   name_size = sizeof (name);
 123   gnutls_x509_crt_get_dn (cert, name, &name_size);
 124
 125   fprintf (stdout, "\tSubject: %s\n", name);
 126   fprintf (stdout, "\tIssuer: %s\n", issuer_name);
 127
 128   if (issuer != NULL)
 129     {
 130       issuer_name_size = sizeof (issuer_name);
 131       gnutls_x509_crt_get_dn (issuer, issuer_name, &issuer_name_size);
 132
 133       fprintf (stdout, "\tVerified against: %s\n", issuer_name);
 134     }
 135
 136   if (crl != NULL)
 137     {
 138       issuer_name_size = sizeof (issuer_name);
 139       gnutls_x509_crl_get_issuer_dn (crl, issuer_name, &issuer_name_size);
 140
 141       fprintf (stdout, "\tVerified against CRL of: %s\n", issuer_name);
 142     }
 143
 144   fprintf (stdout, "\tVerification output: %x\n\n", verification_output);
 145
 146   return 0;
 147 }