diff options
Diffstat (limited to 'manual/html_node/Verifying-a-certificate.html')
-rw-r--r-- | manual/html_node/Verifying-a-certificate.html | 63 |
1 files changed, 32 insertions, 31 deletions
diff --git a/manual/html_node/Verifying-a-certificate.html b/manual/html_node/Verifying-a-certificate.html index 5febac394c..d40f853c9e 100644 --- a/manual/html_node/Verifying-a-certificate.html +++ b/manual/html_node/Verifying-a-certificate.html @@ -1,7 +1,7 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <!-- This manual is last updated 4 March 2015 for version -3.4.11 of GnuTLS. +3.5.0 of GnuTLS. Copyright (C) 2001-2015 Free Software Foundation, Inc.\\ Copyright (C) 2001-2015 Nikos Mavrogiannopoulos @@ -12,12 +12,12 @@ any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". --> -<!-- Created by GNU Texinfo 6.0, http://www.gnu.org/software/texinfo/ --> +<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ --> <head> -<title>GnuTLS 3.4.11: Verifying a certificate</title> +<title>GnuTLS 3.5.0: Verifying a certificate</title> -<meta name="description" content="GnuTLS 3.4.11: Verifying a certificate"> -<meta name="keywords" content="GnuTLS 3.4.11: Verifying a certificate"> +<meta name="description" content="GnuTLS 3.5.0: Verifying a certificate"> +<meta name="keywords" content="GnuTLS 3.5.0: Verifying a certificate"> <meta name="resource-type" content="document"> <meta name="distribution" content="global"> <meta name="Generator" content="makeinfo"> @@ -49,9 +49,8 @@ pre.smalldisplay {font-family: inherit; font-size: smaller} pre.smallexample {font-size: smaller} pre.smallformat {font-family: inherit; font-size: smaller} pre.smalllisp {font-size: smaller} -span.nocodebreak {white-space: nowrap} span.nolinebreak {white-space: nowrap} -span.roman {font-family: serif; font-weight: normal} +span.roman {font-family: initial; font-weight: normal} span.sansserif {font-family: sans-serif; font-weight: normal} ul.no-bullet {list-style: none} body { @@ -177,11 +176,14 @@ functions to verify a given certificate list. #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <assert.h> #include <gnutls/gnutls.h> #include <gnutls/x509.h> #include "examples.h" +#define CHECK(x) assert((x)>=0) + /* All the available CRLs */ gnutls_x509_crl_t *crl_list; @@ -208,18 +210,18 @@ verify_certificate_chain(const char *hostname, int i; gnutls_x509_trust_list_t tlist; gnutls_x509_crt_t *cert; - + gnutls_datum_t txt; unsigned int output; /* Initialize the trusted certificate list. This should be done * once on initialization. gnutls_x509_crt_list_import2() and * gnutls_x509_crl_list_import2() can be used to load them. */ - gnutls_x509_trust_list_init(&tlist, 0); + CHECK(gnutls_x509_trust_list_init(&tlist, 0)); - gnutls_x509_trust_list_add_cas(tlist, ca_list, ca_list_size, 0); - gnutls_x509_trust_list_add_crls(tlist, crl_list, crl_list_size, - GNUTLS_TL_VERIFY_CRL, 0); + CHECK(gnutls_x509_trust_list_add_cas(tlist, ca_list, ca_list_size, 0)); + CHECK(gnutls_x509_trust_list_add_crls(tlist, crl_list, crl_list_size, + GNUTLS_TL_VERIFY_CRL, 0)); cert = malloc(sizeof(*cert) * cert_chain_length); @@ -227,39 +229,38 @@ verify_certificate_chain(const char *hostname, * native certificate format. */ for (i = 0; i < cert_chain_length; i++) { - gnutls_x509_crt_init(&cert[i]); - gnutls_x509_crt_import(cert[i], &cert_chain[i], - GNUTLS_X509_FMT_DER); + CHECK(gnutls_x509_crt_init(&cert[i])); + CHECK(gnutls_x509_crt_import(cert[i], &cert_chain[i], + GNUTLS_X509_FMT_DER)); } - gnutls_x509_trust_list_verify_named_crt(tlist, cert[0], hostname, + CHECK(gnutls_x509_trust_list_verify_named_crt(tlist, cert[0], + hostname, strlen(hostname), GNUTLS_VERIFY_DISABLE_CRL_CHECKS, &output, - print_details_func); + print_details_func)); /* if this certificate is not explicitly trusted verify against CAs */ if (output != 0) { - gnutls_x509_trust_list_verify_crt(tlist, cert, + CHECK(gnutls_x509_trust_list_verify_crt(tlist, cert, cert_chain_length, 0, &output, - print_details_func); + print_details_func)); } + + if (output & GNUTLS_CERT_INVALID) { - fprintf(stderr, "Not trusted"); - - if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) - fprintf(stderr, ": no issuer was found"); - if (output & GNUTLS_CERT_SIGNER_NOT_CA) - fprintf(stderr, ": issuer is not a CA"); - if (output & GNUTLS_CERT_NOT_ACTIVATED) - fprintf(stderr, ": not yet activated\n"); - if (output & GNUTLS_CERT_EXPIRED) - fprintf(stderr, ": expired\n"); - - fprintf(stderr, "\n"); + fprintf(stderr, "Not trusted\n"); + CHECK(gnutls_certificate_verification_status_print( + output, + GNUTLS_CRT_X509, + &txt, 0)); + + fprintf(stderr, "Error: %s\n", txt.data); + gnutls_free(txt.data); } else fprintf(stderr, "Trusted\n"); |