diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-12-05 13:41:46 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-12-05 13:41:46 +0000 |
commit | 3566f540c2ea57ef3fced95b06f6ba52f4f24ab8 (patch) | |
tree | d47fb1e64c4060ff98543f33fa82d048ba533e7d | |
parent | 091cea8dbd1e5fbd940d4c863b68d5eb5ff7cab3 (diff) | |
download | gnutls-3566f540c2ea57ef3fced95b06f6ba52f4f24ab8.tar.gz |
optimized certificate handling API
-rw-r--r-- | NEWS | 5 | ||||
-rw-r--r-- | doc/tex/ex1.tex | 4 | ||||
-rw-r--r-- | doc/tex/ex2.tex | 1 | ||||
-rw-r--r-- | doc/tex/ex3.tex | 26 | ||||
-rw-r--r-- | lib/auth_x509.c | 106 | ||||
-rw-r--r-- | lib/gnutls_record.c | 7 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 3 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 54 | ||||
-rw-r--r-- | src/cli.c | 14 | ||||
-rw-r--r-- | src/common.h | 5 | ||||
-rw-r--r-- | src/serv.c | 18 |
11 files changed, 106 insertions, 137 deletions
@@ -2,8 +2,9 @@ Version ?.?.? - gnutls_handshake(), gnutls_read() etc. functions no longer require the 'SOCKET cd' argument. This argument is set using the function gnutls_set_transport_ptr(). -- introduced gnutls_x509pki_get_peer_certificate(). This function returns - the peer's certificate DER encoded. +- introduced gnutls_x509pki_get_peer_certificate_list(). This function returns + a list containing peer's certificate and issuers DER encoded. +- Updated X.509 certificate handling API - Buffer overflow checking in ASN.1 structures parser Version 0.2.11 (16/11/2001) diff --git a/doc/tex/ex1.tex b/doc/tex/ex1.tex index 891f01f3ce..957bcc78a5 100644 --- a/doc/tex/ex1.tex +++ b/doc/tex/ex1.tex @@ -139,8 +139,10 @@ int main() } else { if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED || ret == GNUTLS_E_FATAL_ALERT_RECEIVED) printf("* Received alert [%d]\n", gnutls_get_last_alert(state)); - if (ret == GNUTLS_E_REHANDSHAKE) + if (ret == GNUTLS_E_REHANDSHAKE) { printf("* Received HelloRequest message (server asked to rehandshake)\n"); + gnutls_send_appropriate_alert( state, ret); /* we don't want rehandshake */ + } } if (ret > 0) { diff --git a/doc/tex/ex2.tex b/doc/tex/ex2.tex index b8c9637033..96f9bbb5fe 100644 --- a/doc/tex/ex2.tex +++ b/doc/tex/ex2.tex @@ -113,6 +113,7 @@ int main() printf("* Received alert [%d]\n", gnutls_get_last_alert(state)); if (ret == GNUTLS_E_REHANDSHAKE) printf("* Received HelloRequest message (server asked to rehandshake)\n"); + gnutls_send_appropriate_alert( state, ret); /* we don't want rehandshake */ } if (ret > 0) { diff --git a/doc/tex/ex3.tex b/doc/tex/ex3.tex index d9aab17d45..2a6b3229c2 100644 --- a/doc/tex/ex3.tex +++ b/doc/tex/ex3.tex @@ -7,13 +7,11 @@ PRINTX( "L:", X->locality_name); \ PRINTX( "S:", X->state_or_province_name); \ PRINTX( "C:", X->country); \ - PRINTX( "E:", X->email); \ - PRINTX( "SAN:", gnutls_x509pki_client_get_subject_dns_name( state)) + PRINTX( "E:", X->email) int print_info(GNUTLS_STATE state) { const char *tmp; - const gnutls_DN* dn; /* print the key exchange's algorithm name */ @@ -23,6 +21,9 @@ int print_info(GNUTLS_STATE state) /* in case of X509 PKI */ if (gnutls_get_auth_type(state) == GNUTLS_X509PKI) { + const gnutls_DN* dn; + const gnutls_datum* cert_list; + int cert_list_size = 0; CertificateStatus status; KXAlgorithm kx; @@ -37,6 +38,7 @@ int print_info(GNUTLS_STATE state) status = gnutls_x509pki_client_get_peer_certificate_status( state); + cert_list = gnutls_x509pki_client_get_peer_certificate_list( state, &cert_list_size); switch( status) { case GNUTLS_CERT_NOT_TRUSTED: @@ -56,30 +58,30 @@ int print_info(GNUTLS_STATE state) break; } - if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) { + if ( cert_list_size > 0) { printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version( state)); + printf(" - Certificate version: #%d\n", gnutls_x509pki_client_extract_certificate_version( &cert_list[0])); - dn = gnutls_x509pki_client_get_peer_dn( state); - PRINT_DN(dn); + gnutls_x509pki_client_extract_dn( &cert_list[0], &dn); + PRINT_DN( dn); + gnutls_x509pki_client_extract_issuer_dn( &cert_list[0], &dn); printf(" - Certificate Issuer's info:\n"); - dn = gnutls_x509pki_client_get_issuer_dn( state); PRINT_DN(dn); } } - tmp = gnutls_version_get_name(gnutls_get_current_version(state)); + tmp = gnutls_version_get_name(gnutls_get_current_version( state)); printf("- Version: %s\n", tmp); - tmp = gnutls_compression_get_name(gnutls_get_current_compression_method(state)); + tmp = gnutls_compression_get_name(gnutls_get_current_compression_method( state)); printf("- Compression: %s\n", tmp); - tmp = gnutls_cipher_get_name(gnutls_get_current_cipher(state)); + tmp = gnutls_cipher_get_name(gnutls_get_current_cipher( state)); printf("- Cipher: %s\n", tmp); - tmp = gnutls_mac_get_name(gnutls_get_current_mac_algorithm(state)); + tmp = gnutls_mac_get_name(gnutls_get_current_mac_algorithm( state)); printf("- MAC: %s\n", tmp); return 0; diff --git a/lib/auth_x509.c b/lib/auth_x509.c index b29adfb52b..054fc30a91 100644 --- a/lib/auth_x509.c +++ b/lib/auth_x509.c @@ -819,7 +819,7 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int /** * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name - * @state: is a gnutls state + * @cert: should contain an X.509 DER encoded certificate * @ret: a pointer to a structure to hold the peer's name * * This function will return the name of the peer. The name is gnutls_DN structure and @@ -828,20 +828,13 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int * Returns a negative error code in case of an error. * **/ -int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret) +int gnutls_x509pki_extract_dn(const gnutls_datum* cert, gnutls_DN * ret) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - memset( ret, 0, sizeof(gnutls_DN)); - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -851,7 +844,7 @@ int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret) } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG @@ -876,30 +869,23 @@ int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret) } /** - * gnutls_x509pki_get_issuer_dn - This function returns the peer's issuer distinguished name - * @state: is a gnutls state + * gnutls_x509pki_extract_issuer_dn - This function returns the certificate's issuer distinguished name + * @cert: should contain an X.509 DER encoded certificate * @ret: a pointer to a structure to hold the issuer's name * - * This function will return the name of the issuer of peer. The name is a gnutls_DN structure and + * This function will return the name of the issuer stated in the certificate. The name is a gnutls_DN structure and * is a obtained by the peer's certificate. If the certificate send by the * peer is invalid, or in any other failure this function returns error. * Returns a negative error code in case of an error. * **/ -int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) +int gnutls_x509pki_extract_issuer_dn(const gnutls_datum* cert, gnutls_DN * ret) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - memset( ret, 0, sizeof(gnutls_DN)); - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -908,7 +894,7 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) return GNUTLS_E_ASN1_ERROR; } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG @@ -933,12 +919,14 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) } /** - * gnutls_x509pki_get_subject_dns_name - This function returns the peer's dns name, if any - * @state: is a gnutls state + * gnutls_x509pki_extract_subject_dns_name - This function returns the peer's dns name, if any + * @cert: should contain an X.509 DER encoded certificate * @ret: is the place where dns name will be copied to * @ret_size: holds the size of ret. * - * This function will return the peer's alternative name (the dns part of it). + * This function will return the alternative name (the dns part of it), contained in the + * given certificate. + * * This is specified in X509v3 Certificate Extensions. * GNUTLS will only return the dnsName of the Alternative name, or a negative * error code. @@ -948,23 +936,15 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret) * If the certificate does not have a DNS name then returns GNUTLS_E_DATA_NOT_AVAILABLE; * **/ -int gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state, char* ret, int *ret_size) +int gnutls_x509pki_extract_subject_dns_name(const gnutls_datum* cert, char* ret, int *ret_size) { - X509PKI_AUTH_INFO info; int result; gnutls_datum dnsname; - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - - memset(ret, 0, *ret_size); if ((result = - _gnutls_get_extension( &info->raw_certificate_list[0], "2 5 29 17", &dnsname)) < 0) { + _gnutls_get_extension( cert, "2 5 29 17", &dnsname)) < 0) { return result; } @@ -986,28 +966,20 @@ int gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state, char* ret, int *ret_ } /** - * gnutls_x509pki_get_peer_certificate_activation_time - This function returns the peer's certificate activation time - * @state: is a gnutls state + * gnutls_x509pki_extract_certificate_activation_time - This function returns the peer's certificate activation time + * @cert: should contain an X.509 DER encoded certificate * - * This function will return the peer's certificate activation time in UNIX time + * This function will return the certificate's activation time in UNIX time * (ie seconds since 00:00:00 UTC January 1, 1970). * Returns a (time_t) -1 in case of an error. * **/ -time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE - state) +time_t gnutls_x509pki_extract_certificate_activation_time(const gnutls_datum * cert) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; time_t ret; - CHECK_AUTH(GNUTLS_X509PKI, -1); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return -1; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -1016,7 +988,7 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE return -1; } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG @@ -1034,28 +1006,20 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE } /** - * gnutls_x509pki_get_peer_certificate_expiration_time - This function returns the peer's certificate expiration time - * @state: is a gnutls state + * gnutls_x509pki_extract_certificate_expiration_time - This function returns the certificate's expiration time + * @cert: should contain an X.509 DER encoded certificate * - * This function will return the peer's certificate expiration time in UNIX time + * This function will return the certificate's expiration time in UNIX time * (ie seconds since 00:00:00 UTC January 1, 1970). * Returns a (time_t) -1 in case of an error. * **/ -time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE - state) +time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum* cert) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; time_t ret; - CHECK_AUTH(GNUTLS_X509PKI, -1); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return -1; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -1064,7 +1028,7 @@ time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE return -1; } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG @@ -1082,26 +1046,18 @@ time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE } /** - * gnutls_x509pki_get_peer_certificate_version - This function returns the peer's certificate version - * @state: is a gnutls state + * gnutls_x509pki_extract_certificate_version - This function returns the certificate's version + * @cert: is an X.509 DER encoded certificate * - * This function will return the peer's certificate version (1, 2, 3). This is obtained by the X509 Certificate - * Version field. If the certificate is invalid then version will be zero. - * Returns a negative value in case of an error. + * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate + * Version field. Returns a negative value in case of an error. * **/ -int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state) +int gnutls_x509pki_extract_certificate_version( const gnutls_datum* cert) { - X509PKI_AUTH_INFO info; node_asn *c2; int result; - CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info(state); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - if (asn1_create_structure (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, "certificate2") @@ -1110,7 +1066,7 @@ int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state) return GNUTLS_E_ASN1_ERROR; } - result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size); + result = asn1_get_der(c2, cert->data, cert->size); if (result != ASN_OK) { /* couldn't decode DER */ #ifdef DEBUG diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 381194c627..a49ca4b186 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -408,7 +408,9 @@ int gnutls_send_alert( GNUTLS_STATE state, AlertLevel level, AlertDescription de * * Sends an alert to the peer depending on the error code returned by a gnutls * function. All alerts sent by this function are fatal, so connection should - * be considered terminated after calling this function. + * be considered terminated after calling this function. The only exception + * is when err == GNUTLS_E_REHANDSHAKE, then a warning alert is sent to + * the peer indicating the no renegotiation will be performed. * * This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED. * @@ -441,6 +443,9 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE; case GNUTLS_E_UNEXPECTED_PACKET: ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_UNEXPECTED_MESSAGE); break; + case GNUTLS_E_REHANDSHAKE: + ret = gnutls_send_alert( state, GNUTLS_WARNING, GNUTLS_NO_RENEGOTIATION); + break; } return ret; diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index d1e7f4afa2..a2f4ae0032 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -105,7 +105,8 @@ int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state) * @list_size: is the length of the certificate list * * This function will return the peer's raw certificate list as sent by the peer. - * These certificates are DER encoded. + * These certificates are DER encoded. The first certificate in the list is the peer's certificate, + * following the issuer's certificate, then the issuer's issuer etc. * Returns NULL in case of an error, or if no certificate was sent. * **/ diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 0f017729b4..431833288c 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -36,7 +36,7 @@ typedef struct { #define X509KEY_DECIPHER_ONLY 1 -# ifdef LIBGNUTLS_VERSION /* defined only in gnutls.h */ +# ifdef LIBGNUTLS_VERSION /* These are defined only in gnutls.h */ typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int); @@ -59,40 +59,40 @@ int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state); int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func *); int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest); -int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE); -int gnutls_x509pki_get_peer_dn( GNUTLS_STATE, gnutls_DN*); +/* X.509 certificate handling functions */ +int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*); +int gnutls_x509pki_extract_issuer_dn( const gnutls_datum*, gnutls_DN *); +int gnutls_x509pki_extract_certificate_version( const gnutls_datum*); +time_t gnutls_x509pki_extract_certificate_activation_time( const gnutls_datum*); +time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum*); +int gnutls_x509pki_extract_subject_dns_name( const gnutls_datum*, char*, int*); + +/* get data from the state */ const gnutls_datum* gnutls_x509pki_get_peer_certificate_list( GNUTLS_STATE, int* list_size); -int gnutls_x509pki_get_issuer_dn( GNUTLS_STATE, gnutls_DN *); -int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE); -int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE); -time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE); -time_t gnutls_x509pki_get_peer_certificate_expiration_time( GNUTLS_STATE); -unsigned char gnutls_x509pki_get_key_usage( GNUTLS_STATE); -int gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE, char*, int*); int gnutls_x509pki_get_dh_bits( GNUTLS_STATE); +int gnutls_x509pki_get_certificate_request_status( GNUTLS_STATE); +int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE); #define gnutls_x509pki_server_get_dh_bits gnutls_x509pki_get_dh_bits #define gnutls_x509pki_client_get_dh_bits gnutls_x509pki_get_dh_bits -#define gnutls_x509pki_server_get_peer_dn gnutls_x509pki_get_peer_dn -#define gnutls_x509pki_server_get_issuer_dn gnutls_x509pki_get_issuer_dn +#define gnutls_x509pki_server_extract_dn gnutls_x509pki_extract_dn +#define gnutls_x509pki_server_extract_issuer_dn gnutls_x509pki_extract_issuer_dn #define gnutls_x509pki_server_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status -#define gnutls_x509pki_server_get_peer_certificate gnutls_x509pki_get_peer_certificate -#define gnutls_x509pki_server_get_peer_certificate_version gnutls_x509pki_get_peer_certificate_version -#define gnutls_x509pki_server_get_peer_certificate_activation_time gnutls_x509pki_get_peer_certificate_activation_time -#define gnutls_x509pki_server_get_peer_certificate_expiration_time gnutls_x509pki_get_peer_certificate_expiration_time -#define gnutls_x509pki_server_get_key_usage gnutls_x509pki_get_key_usage -#define gnutls_x509pki_server_get_subject_dns_name gnutls_x509pki_get_subject_dns_name - -#define gnutls_x509pki_client_get_peer_dn gnutls_x509pki_get_peer_dn -#define gnutls_x509pki_client_get_issuer_dn gnutls_x509pki_get_issuer_dn +#define gnutls_x509pki_server_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list +#define gnutls_x509pki_server_extract_certificate_version gnutls_x509pki_extract_certificate_version +#define gnutls_x509pki_server_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time +#define gnutls_x509pki_server_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time +#define gnutls_x509pki_server_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name + +#define gnutls_x509pki_client_extract_dn gnutls_x509pki_extract_dn +#define gnutls_x509pki_client_extract_issuer_dn gnutls_x509pki_extract_issuer_dn #define gnutls_x509pki_client_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status -#define gnutls_x509pki_client_get_peer_certificate gnutls_x509pki_get_peer_certificate -#define gnutls_x509pki_client_get_peer_certificate_version gnutls_x509pki_get_peer_certificate_version -#define gnutls_x509pki_client_get_peer_certificate_activation_time gnutls_x509pki_get_peer_certificate_activation_time -#define gnutls_x509pki_client_get_peer_certificate_expiration_time gnutls_x509pki_get_peer_certificate_expiration_time -#define gnutls_x509pki_client_get_key_usage gnutls_x509pki_get_key_usage -#define gnutls_x509pki_client_get_subject_dns_name gnutls_x509pki_get_subject_dns_name +#define gnutls_x509pki_client_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list +#define gnutls_x509pki_client_extract_certificate_version gnutls_x509pki_extract_certificate_version +#define gnutls_x509pki_client_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time +#define gnutls_x509pki_client_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time +#define gnutls_x509pki_client_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name # endif /* LIBGNUTLS_VERSION */ @@ -57,9 +57,9 @@ static int print_info( GNUTLS_STATE state) { const char *tmp; CredType cred; gnutls_DN dn; +const gnutls_datum* cert_list; CertificateStatus status; -char dnsname[512]; -int dnsname_size; +int cert_list_size = 0; tmp = gnutls_kx_get_name(gnutls_get_current_kx( state)); printf("- Key Exchange: %s\n", tmp); @@ -71,7 +71,9 @@ int dnsname_size; gnutls_anon_client_get_dh_bits( state)); case GNUTLS_X509PKI: + cert_list = gnutls_x509pki_client_get_peer_certificate_list( state, &cert_list_size); status = gnutls_x509pki_client_get_peer_certificate_status( state); + switch( status) { case GNUTLS_CERT_NOT_TRUSTED: printf("- Peer's X509 Certificate was NOT verified\n"); @@ -90,14 +92,14 @@ int dnsname_size; break; } - if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) { + if (cert_list_size > 0) { printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version( state)); + printf(" - Certificate version: #%d\n", gnutls_x509pki_client_extract_certificate_version( &cert_list[0])); - gnutls_x509pki_client_get_peer_dn( state, &dn); + gnutls_x509pki_client_extract_dn( &cert_list[0], &dn); PRINT_DN( dn); - gnutls_x509pki_client_get_issuer_dn( state, &dn); + gnutls_x509pki_client_extract_issuer_dn( &cert_list[0], &dn); printf(" - Certificate Issuer's info:\n"); PRINT_DN( dn); } diff --git a/src/common.h b/src/common.h index 56f77d4bc5..7a0dc0963d 100644 --- a/src/common.h +++ b/src/common.h @@ -8,7 +8,4 @@ PRINTX( "L:", X.locality_name); \ PRINTX( "S:", X.state_or_province_name); \ PRINTX( "C:", X.country); \ - PRINTX( "E:", X.email); \ - dnsname_size = sizeof(dnsname); \ - gnutls_x509pki_client_get_subject_dns_name(state, dnsname, &dnsname_size); \ - PRINTX( "SAN:", dnsname) + PRINTX( "E:", X.email) diff --git a/src/serv.c b/src/serv.c index 6d9122d992..4f068738af 100644 --- a/src/serv.c +++ b/src/serv.c @@ -104,13 +104,13 @@ GNUTLS_STATE initialize_state() void print_info(GNUTLS_STATE state) { const char *tmp; + const gnutls_datum * cert_list; unsigned char sesid[32]; int sesid_size, i; gnutls_DN dn; CredType cred; CertificateStatus status; - char dnsname[512]; - int dnsname_size; + int cert_list_size = 0; /* print session_id specific data */ gnutls_get_current_session_id( state, sesid, &sesid_size); @@ -141,7 +141,9 @@ void print_info(GNUTLS_STATE state) break; case GNUTLS_X509PKI: - status = gnutls_x509pki_client_get_peer_certificate_status( state); + cert_list = gnutls_x509pki_server_get_peer_certificate_list( state, &cert_list_size); + status = gnutls_x509pki_server_get_peer_certificate_status( state); + switch( status) { case GNUTLS_CERT_NOT_TRUSTED: printf("- Peer's X509 Certificate was NOT verified\n"); @@ -164,16 +166,16 @@ void print_info(GNUTLS_STATE state) printf("\n- Ephemeral DH using prime of %d bits\n", gnutls_x509pki_server_get_dh_bits( state)); } - - if (status!=GNUTLS_CERT_NONE && status!=GNUTLS_CERT_INVALID) { + + if (cert_list_size > 0) { printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_client_get_peer_certificate_version(state)); + printf(" - Certificate version: #%d\n", gnutls_x509pki_server_extract_certificate_version( &cert_list[0])); - if ( gnutls_x509pki_client_get_peer_dn( state, &dn) >= 0) { + if ( gnutls_x509pki_server_extract_dn( &cert_list[0], &dn) >= 0) { PRINT_DN( dn); } - if (gnutls_x509pki_client_get_issuer_dn( state, &dn) >= 0) { + if (gnutls_x509pki_server_extract_dn( &cert_list[0], &dn) >= 0) { printf(" - Certificate Issuer's info:\n"); PRINT_DN( dn); } |