diff options
author | Simon Josefsson <simon@josefsson.org> | 2009-01-06 23:15:00 +0100 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2009-01-06 23:15:00 +0100 |
commit | 2fa07e11f4885c05f115fdc0e66803662d4237d0 (patch) | |
tree | 9a4f33caa9678fded70697b26560478912aee978 | |
parent | c9281f9a38e8d2da51e23f7c39d7f55cd01ef091 (diff) | |
download | gnutls-2fa07e11f4885c05f115fdc0e66803662d4237d0.tar.gz |
certtool: Make --verify-chain use libgnutls verification algorithm.
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | src/certtool.c | 48 |
2 files changed, 55 insertions, 2 deletions
@@ -1,5 +1,5 @@ GNU TLS NEWS -- History of user-visible changes. -*- outline -*- -Copyright (C) 2004, 2005, 2006, 2007, 2008 Simon Josefsson +Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Simon Josefsson Copyright (C) 2000, 2001, 2002, 2003, 2004 Nikos Mavrogiannopoulos See the end for copying conditions. @@ -11,6 +11,13 @@ Patch from David Marín Carreño <davefx@gmail.com> in ** gnutls: gnutls_x509_crq_print will now also print public key id. +** certtool: --verify-chain now prints results of using library verification. +Earlier, certtool --verify-chain used its own validation algorithm +which wasn't guaranteed to give the same result as the libgnutls +internal validation algorithm. Now this command print a new final +line with header 'Chain verification output:' that contains the result +from using the internal verification algorithm on the same chain. + ** tests: Add crq_key_id self-test of gnutls_x509_crq_get_key_id. ** API and ABI modifications: diff --git a/src/certtool.c b/src/certtool.c index 65f244ec35..c8f4f375fc 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation + * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation * * This file is part of GNUTLS. * @@ -2184,6 +2184,52 @@ _verify_x509_mem (const void *cert, int cert_size) fprintf (outfile, ".\n\n"); + /* Verify using internal algorithm too. */ + { + int verify_status; + int comma; + + ret = gnutls_x509_crt_list_verify (x509_cert_list, x509_ncerts, + &x509_cert_list[x509_ncerts - 1], 1, + x509_crl_list, + x509_ncrls, + 0, &verify_status); + if (ret < 0) + error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify: %s", + gnutls_strerror (ret)); + + fprintf (outfile, "Chain verification output: "); + + if (verify_status & GNUTLS_CERT_INVALID) + { + fprintf (outfile, "Not verified"); + comma = 1; + } + else + { + fprintf (outfile, "Verified"); + comma = 1; + } + + if (verify_status & GNUTLS_CERT_SIGNER_NOT_CA) + { + if (comma) + fprintf (outfile, ", "); + fprintf (outfile, "Issuer is not a CA"); + comma = 1; + } + + if (verify_status & GNUTLS_CERT_INSECURE_ALGORITHM) + { + if (comma) + fprintf (outfile, ", "); + fprintf (outfile, "Insecure algorithm"); + comma = 1; + } + + fprintf (outfile, ".\n"); + } + for (i = 0; i < x509_ncerts; i++) gnutls_x509_crt_deinit (x509_cert_list[i]); |