diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-30 18:51:50 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-10-30 18:51:50 +0100 |
commit | c8008cae74231ac83b08a2dc995415f2fea497fc (patch) | |
tree | ef204ab9eb6d77216f5d06e1a5a1b2fad56ed0bb /doc/examples/ex-client-x509.c | |
parent | 1566caaa8063a5b4cd544c97a60cbfedcf6c7a5c (diff) | |
download | gnutls-c8008cae74231ac83b08a2dc995415f2fea497fc.tar.gz |
Simplified certificate verification by adding gnutls_certificate_verify_peers3().
This function combines the RFC2818 hostname check and chain verification check.
Diffstat (limited to 'doc/examples/ex-client-x509.c')
-rw-r--r-- | doc/examples/ex-client-x509.c | 41 |
1 files changed, 1 insertions, 40 deletions
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c index 6939ba36a6..3c90e952a1 100644 --- a/doc/examples/ex-client-x509.c +++ b/doc/examples/ex-client-x509.c @@ -142,10 +142,7 @@ static int _verify_certificate_callback (gnutls_session_t session) { unsigned int status; - const gnutls_datum_t *cert_list; - unsigned int cert_list_size; int ret; - gnutls_x509_crt_t cert; const char *hostname; /* read hostname */ @@ -154,7 +151,7 @@ _verify_certificate_callback (gnutls_session_t session) /* This verification function uses the trusted CAs in the credentials * structure. So you must have installed one or more CA certificates. */ - ret = gnutls_certificate_verify_peers2 (session, &status); + ret = gnutls_certificate_verify_peers3 (session, hostname, &status); if (ret < 0) { printf ("Error\n"); @@ -179,42 +176,6 @@ _verify_certificate_callback (gnutls_session_t session) return GNUTLS_E_CERTIFICATE_ERROR; } - /* Up to here the process is the same for X.509 certificates and - * OpenPGP keys. From now on X.509 certificates are assumed. This can - * be easily extended to work with openpgp keys as well. - */ - if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) - return GNUTLS_E_CERTIFICATE_ERROR; - - if (gnutls_x509_crt_init (&cert) < 0) - { - printf ("error in initialization\n"); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - cert_list = gnutls_certificate_get_peers (session, &cert_list_size); - if (cert_list == NULL) - { - printf ("No certificate was found!\n"); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) - { - printf ("error parsing certificate\n"); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - - if (!gnutls_x509_crt_check_hostname (cert, hostname)) - { - printf ("The certificate's owner does not match hostname '%s'\n", - hostname); - return GNUTLS_E_CERTIFICATE_ERROR; - } - - gnutls_x509_crt_deinit (cert); - /* notify gnutls to continue handshake normally */ return 0; } |