examples: simplify the X.509 client example by using the new verification API

1 files changed, 20 insertions, 70 deletions

diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c
index 98c4c577fa..1478d82b26 100644
--- a/doc/examples/ex-client-x509.c
+++ b/doc/examples/ex-client-x509.c
@@ -22,13 +22,15 @@
 
 extern int tcp_connect(void);
 extern void tcp_close(int sd);
-static int _verify_certificate_callback(gnutls_session_t session);
 
 int main(void)
 {
         int ret, sd, ii;
         gnutls_session_t session;
         char buffer[MAX_BUF + 1];
+        gnutls_datum_t out;
+        int type;
+        unsigned status;
 #if 0
         const char *err;
 #endif
@@ -49,8 +51,6 @@ int main(void)
          */
         gnutls_certificate_set_x509_trust_file(xcred, CAFILE,
                                                GNUTLS_X509_FMT_PEM);
-        gnutls_certificate_set_verify_function(xcred,
-                                               _verify_certificate_callback);
 
         /* If client holds a certificate it can be set using the following:
          *
@@ -68,7 +68,7 @@ int main(void)
         gnutls_server_name_set(session, GNUTLS_NAME_DNS, "my_host_name",
                                strlen("my_host_name"));
 
-        /* use default priorities */
+        /* It is recommended to use the default priorities */
         gnutls_set_default_priority(session);
 #if 0
 	/* if more fine-graned control is required */
@@ -85,6 +85,7 @@ int main(void)
         /* put the x509 credentials to the current session
          */
         gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+        gnutls_session_auto_verify_cert(session, "my_host_name", 0);
 
         /* connect to the peer
          */
@@ -100,7 +101,6 @@ int main(void)
                 ret = gnutls_handshake(session);
         }
         while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
-
         if (ret < 0) {
                 fprintf(stderr, "*** Handshake failed\n");
                 gnutls_perror(ret);
@@ -113,6 +113,21 @@ int main(void)
                 gnutls_free(desc);
         }
 
+        /* check certificate verification status */
+        type = gnutls_certificate_type_get(session);
+        status = gnutls_session_get_verify_cert_status(session);
+        ret =
+            gnutls_certificate_verification_status_print(status, type,
+                                                         &out, 0);
+        if (ret < 0) {
+                printf("Error\n");
+                return GNUTLS_E_CERTIFICATE_ERROR;
+        }
+
+        printf("%s", out.data);
+        gnutls_free(out.data);
+
+	/* send data */
         gnutls_record_send(session, MSG, strlen(MSG));
 
         ret = gnutls_record_recv(session, buffer, MAX_BUF);
@@ -148,68 +163,3 @@ int main(void)
 
         return 0;
 }
-
-/* This function will verify the peer's certificate, and check
- * if the hostname matches, as well as the activation, expiration dates.
- */
-static int _verify_certificate_callback(gnutls_session_t session)
-{
-        unsigned int status;
-        int ret, type;
-        const char *hostname;
-        gnutls_datum_t out;
-
-        /* read hostname */
-        hostname = gnutls_session_get_ptr(session);
-
-        /* This verification function uses the trusted CAs in the credentials
-         * structure. So you must have installed one or more CA certificates.
-         */
-
-         /* The following demonstrate two different verification functions,
-          * the more flexible gnutls_certificate_verify_peers(), as well
-          * as the old gnutls_certificate_verify_peers3(). */
-#if 1
-        {
-        gnutls_typed_vdata_st data[2];
-
-        memset(data, 0, sizeof(data));
-
-        data[0].type = GNUTLS_DT_DNS_HOSTNAME;
-        data[0].data = (void*)hostname;
-
-        data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
-        data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
-
-        ret = gnutls_certificate_verify_peers(session, data, 2,
-					      &status);
-        }
-#else
-        ret = gnutls_certificate_verify_peers3(session, hostname,
-					       &status);
-#endif
-        if (ret < 0) {
-                printf("Error\n");
-                return GNUTLS_E_CERTIFICATE_ERROR;
-        }
-
-        type = gnutls_certificate_type_get(session);
-
-        ret =
-            gnutls_certificate_verification_status_print(status, type,
-                                                         &out, 0);
-        if (ret < 0) {
-                printf("Error\n");
-                return GNUTLS_E_CERTIFICATE_ERROR;
-        }
-
-        printf("%s", out.data);
-
-        gnutls_free(out.data);
-
-        if (status != 0)        /* Certificate is not trusted */
-                return GNUTLS_E_CERTIFICATE_ERROR;
-
-        /* notify gnutls to continue handshake normally */
-        return 0;
-}