summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2001-12-05 13:41:46 +0000
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2001-12-05 13:41:46 +0000
commit3566f540c2ea57ef3fced95b06f6ba52f4f24ab8 (patch)
treed47fb1e64c4060ff98543f33fa82d048ba533e7d
parent091cea8dbd1e5fbd940d4c863b68d5eb5ff7cab3 (diff)
downloadgnutls-3566f540c2ea57ef3fced95b06f6ba52f4f24ab8.tar.gz
optimized certificate handling API
-rw-r--r--NEWS5
-rw-r--r--doc/tex/ex1.tex4
-rw-r--r--doc/tex/ex2.tex1
-rw-r--r--doc/tex/ex3.tex26
-rw-r--r--lib/auth_x509.c106
-rw-r--r--lib/gnutls_record.c7
-rw-r--r--lib/gnutls_ui.c3
-rw-r--r--lib/gnutls_ui.h54
-rw-r--r--src/cli.c14
-rw-r--r--src/common.h5
-rw-r--r--src/serv.c18
11 files changed, 106 insertions, 137 deletions
diff --git a/NEWS b/NEWS
index b44221b809..73658648b1 100644
--- a/NEWS
+++ b/NEWS
@@ -2,8 +2,9 @@ Version ?.?.?
- gnutls_handshake(), gnutls_read() etc. functions no longer require
the 'SOCKET cd' argument. This argument is set using the function
gnutls_set_transport_ptr().
-- introduced gnutls_x509pki_get_peer_certificate(). This function returns
- the peer's certificate DER encoded.
+- introduced gnutls_x509pki_get_peer_certificate_list(). This function returns
+ a list containing peer's certificate and issuers DER encoded.
+- Updated X.509 certificate handling API
- Buffer overflow checking in ASN.1 structures parser
Version 0.2.11 (16/11/2001)
diff --git a/doc/tex/ex1.tex b/doc/tex/ex1.tex
index 891f01f3ce..957bcc78a5 100644
--- a/doc/tex/ex1.tex
+++ b/doc/tex/ex1.tex
@@ -139,8 +139,10 @@ int main()
} else {
if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED)
printf("* Received alert [%d]\n", gnutls_get_last_alert(state));
- if (ret == GNUTLS_E_REHANDSHAKE)
+ if (ret == GNUTLS_E_REHANDSHAKE) {
printf("* Received HelloRequest message (server asked to rehandshake)\n");
+ gnutls_send_appropriate_alert( state, ret); /* we don't want rehandshake */
+ }
}
if (ret > 0) {
diff --git a/doc/tex/ex2.tex b/doc/tex/ex2.tex
index b8c9637033..96f9bbb5fe 100644
--- a/doc/tex/ex2.tex
+++ b/doc/tex/ex2.tex
@@ -113,6 +113,7 @@ int main()
printf("* Received alert [%d]\n", gnutls_get_last_alert(state));
if (ret == GNUTLS_E_REHANDSHAKE)
printf("* Received HelloRequest message (server asked to rehandshake)\n");
+ gnutls_send_appropriate_alert( state, ret); /* we don't want rehandshake */
}
if (ret > 0) {
diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex
index d9aab17d45..2a6b3229c2 100644
--- a/doc/tex/ex3.tex
+++ b/doc/tex/ex3.tex
@@ -7,13 +7,11 @@
PRINTX( "L:", X->locality_name); \
PRINTX( "S:", X->state_or_province_name); \
PRINTX( "C:", X->country); \
- PRINTX( "E:", X->email); \
- PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name( state))
+ PRINTX( "E:", X->email)
int print_info(GNUTLS_STATE state)
{
const char *tmp;
- const gnutls_DN* dn;
/* print the key exchange's algorithm name
*/
@@ -23,6 +21,9 @@ int print_info(GNUTLS_STATE state)
/* in case of X509 PKI
*/
if (gnutls_get_auth_type(state) == GNUTLS_X509PKI) {
+ const gnutls_DN* dn;
+ const gnutls_datum* cert_list;
+ int cert_list_size = 0;
CertificateStatus status;
KXAlgorithm kx;
@@ -37,6 +38,7 @@ int print_info(GNUTLS_STATE state)
status = gnutls_x509pki_client_get_peer_certificate_status( state);
+ cert_list = gnutls_x509pki_client_get_peer_certificate_list( state, &cert_list_size);
switch( status) {
case GNUTLS_CERT_NOT_TRUSTED:
@@ -56,30 +58,30 @@ int print_info(GNUTLS_STATE state)
break;
}
- if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) {
+ if ( cert_list_size > 0) {
printf(" - Certificate info:\n");
- printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version( state));
+ printf(" - Certificate version: #%d\n", gnutls_x509pki_client_extract_certificate_version( &cert_list[0]));
- dn = gnutls_x509pki_client_get_peer_dn( state);
- PRINT_DN(dn);
+ gnutls_x509pki_client_extract_dn( &cert_list[0], &dn);
+ PRINT_DN( dn);
+ gnutls_x509pki_client_extract_issuer_dn( &cert_list[0], &dn);
printf(" - Certificate Issuer's info:\n");
- dn = gnutls_x509pki_client_get_issuer_dn( state);
PRINT_DN(dn);
}
}
- tmp = gnutls_version_get_name(gnutls_get_current_version(state));
+ tmp = gnutls_version_get_name(gnutls_get_current_version( state));
printf("- Version: %s\n", tmp);
- tmp = gnutls_compression_get_name(gnutls_get_current_compression_method(state));
+ tmp = gnutls_compression_get_name(gnutls_get_current_compression_method( state));
printf("- Compression: %s\n", tmp);
- tmp = gnutls_cipher_get_name(gnutls_get_current_cipher(state));
+ tmp = gnutls_cipher_get_name(gnutls_get_current_cipher( state));
printf("- Cipher: %s\n", tmp);
- tmp = gnutls_mac_get_name(gnutls_get_current_mac_algorithm(state));
+ tmp = gnutls_mac_get_name(gnutls_get_current_mac_algorithm( state));
printf("- MAC: %s\n", tmp);
return 0;
diff --git a/lib/auth_x509.c b/lib/auth_x509.c
index b29adfb52b..054fc30a91 100644
--- a/lib/auth_x509.c
+++ b/lib/auth_x509.c
@@ -819,7 +819,7 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int
/**
* gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name
- * @state: is a gnutls state
+ * @cert: should contain an X.509 DER encoded certificate
* @ret: a pointer to a structure to hold the peer's name
*
* This function will return the name of the peer. The name is gnutls_DN structure and
@@ -828,20 +828,13 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int
* Returns a negative error code in case of an error.
*
**/
-int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret)
+int gnutls_x509pki_extract_dn(const gnutls_datum* cert, gnutls_DN * ret)
{
- X509PKI_AUTH_INFO info;
node_asn *c2;
int result;
- CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
-
memset( ret, 0, sizeof(gnutls_DN));
- info = _gnutls_get_auth_info(state);
- if (info == NULL)
- return GNUTLS_E_INVALID_REQUEST;
-
if (asn1_create_structure
(_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
"certificate2")
@@ -851,7 +844,7 @@ int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret)
}
- result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+ result = asn1_get_der(c2, cert->data, cert->size);
if (result != ASN_OK) {
/* couldn't decode DER */
#ifdef DEBUG
@@ -876,30 +869,23 @@ int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret)
}
/**
- * gnutls_x509pki_get_issuer_dn - This function returns the peer's issuer distinguished name
- * @state: is a gnutls state
+ * gnutls_x509pki_extract_issuer_dn - This function returns the certificate's issuer distinguished name
+ * @cert: should contain an X.509 DER encoded certificate
* @ret: a pointer to a structure to hold the issuer's name
*
- * This function will return the name of the issuer of peer. The name is a gnutls_DN structure and
+ * This function will return the name of the issuer stated in the certificate. The name is a gnutls_DN structure and
* is a obtained by the peer's certificate. If the certificate send by the
* peer is invalid, or in any other failure this function returns error.
* Returns a negative error code in case of an error.
*
**/
-int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
+int gnutls_x509pki_extract_issuer_dn(const gnutls_datum* cert, gnutls_DN * ret)
{
- X509PKI_AUTH_INFO info;
node_asn *c2;
int result;
- CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
-
memset( ret, 0, sizeof(gnutls_DN));
- info = _gnutls_get_auth_info(state);
- if (info == NULL)
- return GNUTLS_E_INVALID_REQUEST;
-
if (asn1_create_structure
(_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
"certificate2")
@@ -908,7 +894,7 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
return GNUTLS_E_ASN1_ERROR;
}
- result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+ result = asn1_get_der(c2, cert->data, cert->size);
if (result != ASN_OK) {
/* couldn't decode DER */
#ifdef DEBUG
@@ -933,12 +919,14 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
}
/**
- * gnutls_x509pki_get_subject_dns_name - This function returns the peer's dns name, if any
- * @state: is a gnutls state
+ * gnutls_x509pki_extract_subject_dns_name - This function returns the peer's dns name, if any
+ * @cert: should contain an X.509 DER encoded certificate
* @ret: is the place where dns name will be copied to
* @ret_size: holds the size of ret.
*
- * This function will return the peer's alternative name (the dns part of it).
+ * This function will return the alternative name (the dns part of it), contained in the
+ * given certificate.
+ *
* This is specified in X509v3 Certificate Extensions.
* GNUTLS will only return the dnsName of the Alternative name, or a negative
* error code.
@@ -948,23 +936,15 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
* If the certificate does not have a DNS name then returns GNUTLS_E_DATA_NOT_AVAILABLE;
*
**/
-int gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state, char* ret, int *ret_size)
+int gnutls_x509pki_extract_subject_dns_name(const gnutls_datum* cert, char* ret, int *ret_size)
{
- X509PKI_AUTH_INFO info;
int result;
gnutls_datum dnsname;
- CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
-
- info = _gnutls_get_auth_info(state);
- if (info == NULL)
- return GNUTLS_E_INVALID_REQUEST;
-
-
memset(ret, 0, *ret_size);
if ((result =
- _gnutls_get_extension( &info->raw_certificate_list[0], "2 5 29 17", &dnsname)) < 0) {
+ _gnutls_get_extension( cert, "2 5 29 17", &dnsname)) < 0) {
return result;
}
@@ -986,28 +966,20 @@ int gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state, char* ret, int *ret_
}
/**
- * gnutls_x509pki_get_peer_certificate_activation_time - This function returns the peer's certificate activation time
- * @state: is a gnutls state
+ * gnutls_x509pki_extract_certificate_activation_time - This function returns the peer's certificate activation time
+ * @cert: should contain an X.509 DER encoded certificate
*
- * This function will return the peer's certificate activation time in UNIX time
+ * This function will return the certificate's activation time in UNIX time
* (ie seconds since 00:00:00 UTC January 1, 1970).
* Returns a (time_t) -1 in case of an error.
*
**/
-time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE
- state)
+time_t gnutls_x509pki_extract_certificate_activation_time(const gnutls_datum * cert)
{
- X509PKI_AUTH_INFO info;
node_asn *c2;
int result;
time_t ret;
- CHECK_AUTH(GNUTLS_X509PKI, -1);
-
- info = _gnutls_get_auth_info(state);
- if (info == NULL)
- return -1;
-
if (asn1_create_structure
(_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
"certificate2")
@@ -1016,7 +988,7 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE
return -1;
}
- result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+ result = asn1_get_der(c2, cert->data, cert->size);
if (result != ASN_OK) {
/* couldn't decode DER */
#ifdef DEBUG
@@ -1034,28 +1006,20 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE
}
/**
- * gnutls_x509pki_get_peer_certificate_expiration_time - This function returns the peer's certificate expiration time
- * @state: is a gnutls state
+ * gnutls_x509pki_extract_certificate_expiration_time - This function returns the certificate's expiration time
+ * @cert: should contain an X.509 DER encoded certificate
*
- * This function will return the peer's certificate expiration time in UNIX time
+ * This function will return the certificate's expiration time in UNIX time
* (ie seconds since 00:00:00 UTC January 1, 1970).
* Returns a (time_t) -1 in case of an error.
*
**/
-time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE
- state)
+time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum* cert)
{
- X509PKI_AUTH_INFO info;
node_asn *c2;
int result;
time_t ret;
- CHECK_AUTH(GNUTLS_X509PKI, -1);
-
- info = _gnutls_get_auth_info(state);
- if (info == NULL)
- return -1;
-
if (asn1_create_structure
(_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
"certificate2")
@@ -1064,7 +1028,7 @@ time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE
return -1;
}
- result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+ result = asn1_get_der(c2, cert->data, cert->size);
if (result != ASN_OK) {
/* couldn't decode DER */
#ifdef DEBUG
@@ -1082,26 +1046,18 @@ time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE
}
/**
- * gnutls_x509pki_get_peer_certificate_version - This function returns the peer's certificate version
- * @state: is a gnutls state
+ * gnutls_x509pki_extract_certificate_version - This function returns the certificate's version
+ * @cert: is an X.509 DER encoded certificate
*
- * This function will return the peer's certificate version (1, 2, 3). This is obtained by the X509 Certificate
- * Version field. If the certificate is invalid then version will be zero.
- * Returns a negative value in case of an error.
+ * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate
+ * Version field. Returns a negative value in case of an error.
*
**/
-int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state)
+int gnutls_x509pki_extract_certificate_version( const gnutls_datum* cert)
{
- X509PKI_AUTH_INFO info;
node_asn *c2;
int result;
- CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
-
- info = _gnutls_get_auth_info(state);
- if (info == NULL)
- return GNUTLS_E_INVALID_REQUEST;
-
if (asn1_create_structure
(_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
"certificate2")
@@ -1110,7 +1066,7 @@ int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state)
return GNUTLS_E_ASN1_ERROR;
}
- result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+ result = asn1_get_der(c2, cert->data, cert->size);
if (result != ASN_OK) {
/* couldn't decode DER */
#ifdef DEBUG
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index 381194c627..a49ca4b186 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -408,7 +408,9 @@ int gnutls_send_alert( GNUTLS_STATE state, AlertLevel level, AlertDescription de
*
* Sends an alert to the peer depending on the error code returned by a gnutls
* function. All alerts sent by this function are fatal, so connection should
- * be considered terminated after calling this function.
+ * be considered terminated after calling this function. The only exception
+ * is when err == GNUTLS_E_REHANDSHAKE, then a warning alert is sent to
+ * the peer indicating the no renegotiation will be performed.
*
* This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED.
*
@@ -441,6 +443,9 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE;
case GNUTLS_E_UNEXPECTED_PACKET:
ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_UNEXPECTED_MESSAGE);
break;
+ case GNUTLS_E_REHANDSHAKE:
+ ret = gnutls_send_alert( state, GNUTLS_WARNING, GNUTLS_NO_RENEGOTIATION);
+ break;
}
return ret;
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index d1e7f4afa2..a2f4ae0032 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -105,7 +105,8 @@ int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state)
* @list_size: is the length of the certificate list
*
* This function will return the peer's raw certificate list as sent by the peer.
- * These certificates are DER encoded.
+ * These certificates are DER encoded. The first certificate in the list is the peer's certificate,
+ * following the issuer's certificate, then the issuer's issuer etc.
* Returns NULL in case of an error, or if no certificate was sent.
*
**/
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 0f017729b4..431833288c 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -36,7 +36,7 @@ typedef struct {
#define X509KEY_DECIPHER_ONLY 1
-# ifdef LIBGNUTLS_VERSION /* defined only in gnutls.h */
+# ifdef LIBGNUTLS_VERSION /* These are defined only in gnutls.h */
typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int);
@@ -59,40 +59,40 @@ int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state);
int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func *);
int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest);
-int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE);
-int gnutls_x509pki_get_peer_dn( GNUTLS_STATE, gnutls_DN*);
+/* X.509 certificate handling functions */
+int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*);
+int gnutls_x509pki_extract_issuer_dn( const gnutls_datum*, gnutls_DN *);
+int gnutls_x509pki_extract_certificate_version( const gnutls_datum*);
+time_t gnutls_x509pki_extract_certificate_activation_time( const gnutls_datum*);
+time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum*);
+int gnutls_x509pki_extract_subject_dns_name( const gnutls_datum*, char*, int*);
+
+/* get data from the state */
const gnutls_datum* gnutls_x509pki_get_peer_certificate_list( GNUTLS_STATE, int* list_size);
-int gnutls_x509pki_get_issuer_dn( GNUTLS_STATE, gnutls_DN *);
-int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE);
-int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE);
-time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE);
-time_t gnutls_x509pki_get_peer_certificate_expiration_time( GNUTLS_STATE);
-unsigned char gnutls_x509pki_get_key_usage( GNUTLS_STATE);
-int gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE, char*, int*);
int gnutls_x509pki_get_dh_bits( GNUTLS_STATE);
+int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE);
+int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE);
#define gnutls_x509pki_server_get_dh_bits gnutls_x509pki_get_dh_bits
#define gnutls_x509pki_client_get_dh_bits gnutls_x509pki_get_dh_bits
-#define gnutls_x509pki_server_get_peer_dn gnutls_x509pki_get_peer_dn
-#define gnutls_x509pki_server_get_issuer_dn gnutls_x509pki_get_issuer_dn
+#define gnutls_x509pki_server_extract_dn gnutls_x509pki_extract_dn
+#define gnutls_x509pki_server_extract_issuer_dn gnutls_x509pki_extract_issuer_dn
#define gnutls_x509pki_server_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status
-#define gnutls_x509pki_server_get_peer_certificate gnutls_x509pki_get_peer_certificate
-#define gnutls_x509pki_server_get_peer_certificate_version gnutls_x509pki_get_peer_certificate_version
-#define gnutls_x509pki_server_get_peer_certificate_activation_time gnutls_x509pki_get_peer_certificate_activation_time
-#define gnutls_x509pki_server_get_peer_certificate_expiration_time gnutls_x509pki_get_peer_certificate_expiration_time
-#define gnutls_x509pki_server_get_key_usage gnutls_x509pki_get_key_usage
-#define gnutls_x509pki_server_get_subject_dns_name gnutls_x509pki_get_subject_dns_name
-
-#define gnutls_x509pki_client_get_peer_dn gnutls_x509pki_get_peer_dn
-#define gnutls_x509pki_client_get_issuer_dn gnutls_x509pki_get_issuer_dn
+#define gnutls_x509pki_server_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list
+#define gnutls_x509pki_server_extract_certificate_version gnutls_x509pki_extract_certificate_version
+#define gnutls_x509pki_server_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time
+#define gnutls_x509pki_server_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time
+#define gnutls_x509pki_server_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name
+
+#define gnutls_x509pki_client_extract_dn gnutls_x509pki_extract_dn
+#define gnutls_x509pki_client_extract_issuer_dn gnutls_x509pki_extract_issuer_dn
#define gnutls_x509pki_client_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status
-#define gnutls_x509pki_client_get_peer_certificate gnutls_x509pki_get_peer_certificate
-#define gnutls_x509pki_client_get_peer_certificate_version gnutls_x509pki_get_peer_certificate_version
-#define gnutls_x509pki_client_get_peer_certificate_activation_time gnutls_x509pki_get_peer_certificate_activation_time
-#define gnutls_x509pki_client_get_peer_certificate_expiration_time gnutls_x509pki_get_peer_certificate_expiration_time
-#define gnutls_x509pki_client_get_key_usage gnutls_x509pki_get_key_usage
-#define gnutls_x509pki_client_get_subject_dns_name gnutls_x509pki_get_subject_dns_name
+#define gnutls_x509pki_client_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list
+#define gnutls_x509pki_client_extract_certificate_version gnutls_x509pki_extract_certificate_version
+#define gnutls_x509pki_client_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time
+#define gnutls_x509pki_client_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time
+#define gnutls_x509pki_client_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name
# endif /* LIBGNUTLS_VERSION */
diff --git a/src/cli.c b/src/cli.c
index 01aa491126..346b4c277e 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -57,9 +57,9 @@ static int print_info( GNUTLS_STATE state) {
const char *tmp;
CredType cred;
gnutls_DN dn;
+const gnutls_datum* cert_list;
CertificateStatus status;
-char dnsname[512];
-int dnsname_size;
+int cert_list_size = 0;
tmp = gnutls_kx_get_name(gnutls_get_current_kx( state));
printf("- Key Exchange: %s\n", tmp);
@@ -71,7 +71,9 @@ int dnsname_size;
gnutls_anon_client_get_dh_bits( state));
case GNUTLS_X509PKI:
+ cert_list = gnutls_x509pki_client_get_peer_certificate_list( state, &cert_list_size);
status = gnutls_x509pki_client_get_peer_certificate_status( state);
+
switch( status) {
case GNUTLS_CERT_NOT_TRUSTED:
printf("- Peer's X509 Certificate was NOT verified\n");
@@ -90,14 +92,14 @@ int dnsname_size;
break;
}
- if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) {
+ if (cert_list_size > 0) {
printf(" - Certificate info:\n");
- printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version( state));
+ printf(" - Certificate version: #%d\n", gnutls_x509pki_client_extract_certificate_version( &cert_list[0]));
- gnutls_x509pki_client_get_peer_dn( state, &dn);
+ gnutls_x509pki_client_extract_dn( &cert_list[0], &dn);
PRINT_DN( dn);
- gnutls_x509pki_client_get_issuer_dn( state, &dn);
+ gnutls_x509pki_client_extract_issuer_dn( &cert_list[0], &dn);
printf(" - Certificate Issuer's info:\n");
PRINT_DN( dn);
}
diff --git a/src/common.h b/src/common.h
index 56f77d4bc5..7a0dc0963d 100644
--- a/src/common.h
+++ b/src/common.h
@@ -8,7 +8,4 @@
PRINTX( "L:", X.locality_name); \
PRINTX( "S:", X.state_or_province_name); \
PRINTX( "C:", X.country); \
- PRINTX( "E:", X.email); \
- dnsname_size = sizeof(dnsname); \
- gnutls_x509pki_client_get_subject_dns_name(state, dnsname, &dnsname_size); \
- PRINTX( "SAN:", dnsname)
+ PRINTX( "E:", X.email)
diff --git a/src/serv.c b/src/serv.c
index 6d9122d992..4f068738af 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -104,13 +104,13 @@ GNUTLS_STATE initialize_state()
void print_info(GNUTLS_STATE state)
{
const char *tmp;
+ const gnutls_datum * cert_list;
unsigned char sesid[32];
int sesid_size, i;
gnutls_DN dn;
CredType cred;
CertificateStatus status;
- char dnsname[512];
- int dnsname_size;
+ int cert_list_size = 0;
/* print session_id specific data */
gnutls_get_current_session_id( state, sesid, &sesid_size);
@@ -141,7 +141,9 @@ void print_info(GNUTLS_STATE state)
break;
case GNUTLS_X509PKI:
- status = gnutls_x509pki_client_get_peer_certificate_status( state);
+ cert_list = gnutls_x509pki_server_get_peer_certificate_list( state, &cert_list_size);
+ status = gnutls_x509pki_server_get_peer_certificate_status( state);
+
switch( status) {
case GNUTLS_CERT_NOT_TRUSTED:
printf("- Peer's X509 Certificate was NOT verified\n");
@@ -164,16 +166,16 @@ void print_info(GNUTLS_STATE state)
printf("\n- Ephemeral DH using prime of %d bits\n",
gnutls_x509pki_server_get_dh_bits( state));
}
-
- if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) {
+
+ if (cert_list_size > 0) {
printf(" - Certificate info:\n");
- printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version(state));
+ printf(" - Certificate version: #%d\n", gnutls_x509pki_server_extract_certificate_version( &cert_list[0]));
- if ( gnutls_x509pki_client_get_peer_dn( state, &dn) >= 0) {
+ if ( gnutls_x509pki_server_extract_dn( &cert_list[0], &dn) >= 0) {
PRINT_DN( dn);
}
- if (gnutls_x509pki_client_get_issuer_dn( state, &dn) >= 0) {
+ if (gnutls_x509pki_server_extract_dn( &cert_list[0], &dn) >= 0) {
printf(" - Certificate Issuer's info:\n");
PRINT_DN( dn);
}