GNU TLS NEWS -- History of user-visible changes. -*- outline -*-
-Copyright (C) 2004, 2005, 2006, 2007, 2008 Simon Josefsson
+Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009 Simon Josefsson
Copyright (C) 2000, 2001, 2002, 2003, 2004 Nikos Mavrogiannopoulos
See the end for copying conditions.
** gnutls: gnutls_x509_crq_print will now also print public key id.
+** certtool: --verify-chain now prints results of using library verification.
+Earlier, certtool --verify-chain used its own validation algorithm
+which wasn't guaranteed to give the same result as the libgnutls
+internal validation algorithm. Now this command print a new final
+line with header 'Chain verification output:' that contains the result
+from using the internal verification algorithm on the same chain.
+
** tests: Add crq_key_id self-test of gnutls_x509_crq_get_key_id.
** API and ABI modifications:
/*
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
*
* This file is part of GNUTLS.
*
fprintf (outfile, ".\n\n");
+ /* Verify using internal algorithm too. */
+ {
+ int verify_status;
+ int comma;
+
+ ret = gnutls_x509_crt_list_verify (x509_cert_list, x509_ncerts,
+ &x509_cert_list[x509_ncerts - 1], 1,
+ x509_crl_list,
+ x509_ncrls,
+ 0, &verify_status);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_list_verify: %s",
+ gnutls_strerror (ret));
+
+ fprintf (outfile, "Chain verification output: ");
+
+ if (verify_status & GNUTLS_CERT_INVALID)
+ {
+ fprintf (outfile, "Not verified");
+ comma = 1;
+ }
+ else
+ {
+ fprintf (outfile, "Verified");
+ comma = 1;
+ }
+
+ if (verify_status & GNUTLS_CERT_SIGNER_NOT_CA)
+ {
+ if (comma)
+ fprintf (outfile, ", ");
+ fprintf (outfile, "Issuer is not a CA");
+ comma = 1;
+ }
+
+ if (verify_status & GNUTLS_CERT_INSECURE_ALGORITHM)
+ {
+ if (comma)
+ fprintf (outfile, ", ");
+ fprintf (outfile, "Insecure algorithm");
+ comma = 1;
+ }
+
+ fprintf (outfile, ".\n");
+ }
+
for (i = 0; i < x509_ncerts; i++)
gnutls_x509_crt_deinit (x509_cert_list[i]);