This function simplifies printing the certificate verification status.
gnutls_session_get_id2: Added
gnutls_certificate_update_verify_flags: Added
gnutls_certificate_verify_peers3: Added
+gnutls_certificate_verification_status_print: Added
GNUTLS_CERT_REVOCATION_DATA_TOO_OLD: Added.
GNUTLS_CERT_REVOCATION_DATA_INVALID: Added.
_verify_certificate_callback (gnutls_session_t session)
{
unsigned int status;
- int ret;
+ int ret, type;
const char *hostname;
+ gnutls_datum_t out;
/* read hostname */
hostname = gnutls_session_get_ptr (session);
return GNUTLS_E_CERTIFICATE_ERROR;
}
- if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- printf ("The certificate hasn't got a known issuer.\n");
+ type = gnutls_certificate_type_get (session);
- if (status & GNUTLS_CERT_REVOKED)
- printf ("The certificate has been revoked.\n");
-
- if (status & GNUTLS_CERT_EXPIRED)
- printf ("The certificate has expired\n");
-
- if (status & GNUTLS_CERT_NOT_ACTIVATED)
- printf ("The certificate is not yet activated\n");
-
- if (status & GNUTLS_CERT_INVALID)
+ ret = gnutls_certificate_verification_status_print( status, type, &out, 0);
+ if (ret < 0)
{
- printf ("The certificate is not trusted.\n");
+ printf ("Error\n");
return GNUTLS_E_CERTIFICATE_ERROR;
}
+
+ printf ("%s", out.data);
+
+ gnutls_free(out.data);
/* notify gnutls to continue handshake normally */
return 0;
unsigned int status;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size;
- int ret;
+ int ret, type;
+ gnutls_datum_t out;
const char *hostname;
/* read hostname */
printf ("Error\n");
return GNUTLS_E_CERTIFICATE_ERROR;
}
+
+ type = gnutls_certificate_type_get (session);
- if (status & GNUTLS_CERT_INVALID)
- printf ("The certificate is not trusted.\n");
-
- if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- printf ("The certificate hasn't got a known issuer.\n");
-
- if (status & GNUTLS_CERT_REVOKED)
- printf ("The certificate has been revoked.\n");
-
- if (status & GNUTLS_CERT_EXPIRED)
- printf ("The certificate has expired\n");
-
- if (status & GNUTLS_CERT_NOT_ACTIVATED)
- printf ("The certificate is not yet activated\n");
+ ret = gnutls_certificate_verification_status_print( status, type, &out, 0);
+ if (ret < 0)
+ {
+ printf ("Error\n");
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ printf ("%s", out.data);
+
+ gnutls_free(out.data);
+ /* Do SSH verification */
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list == NULL)
{
/* service may be obtained alternatively using getservbyport() */
ret = gnutls_verify_stored_pubkey(NULL, NULL, hostname, "https",
- gnutls_certificate_type_get (session),
- &cert_list[0], 0);
+ type, &cert_list[0], 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
{
printf("Host %s is not known.", hostname);
if (ret != 0)
{
ret = gnutls_store_pubkey(NULL, NULL, hostname, "https",
- gnutls_certificate_type_get (session),
- &cert_list[0], 0, 0);
+ type, &cert_list[0], 0, 0);
if (ret < 0)
printf("gnutls_store_pubkey: %s\n", gnutls_strerror(ret));
}
int verify_certificate_callback (gnutls_session_t session)
{
unsigned int status;
- int ret;
+ int ret, type;
const char *hostname;
+ gnutls_datum_t out;
/* read hostname */
hostname = gnutls_session_get_ptr (session);
return GNUTLS_E_CERTIFICATE_ERROR;
}
- if (status & GNUTLS_CERT_INVALID)
- printf ("The certificate is not trusted.\n");
+ type = gnutls_certificate_type_get (session);
- if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- printf ("The certificate hasn't got a known issuer.\n");
-
- if (status & GNUTLS_CERT_REVOKED)
- printf ("The certificate has been revoked.\n");
-
- if (status & GNUTLS_CERT_EXPIRED)
- printf ("The certificate has expired\n");
-
- if (status & GNUTLS_CERT_NOT_ACTIVATED)
- printf ("The certificate is not yet activated\n");
+ ret = gnutls_certificate_verification_status_print( status, type, &out, 0);
+ if (ret < 0)
+ {
+ printf ("Error\n");
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ printf ("%s", out.data);
+
+ gnutls_free(out.data);
/* notify gnutls to continue handshake normally */
return 0;
#ifdef ENABLE_OPENPGP
#include "openpgp/gnutls_openpgp.h"
#endif
+#include "gettext.h"
+#define _(String) dgettext (PACKAGE, String)
/**
* gnutls_certificate_free_keys:
return 0;
}
+
+/**
+ * gnutls_certificate_verification_status_print:
+ * @status: The status flags to be printed
+ * @type: The certificate type
+ * @out: Newly allocated datum with (0) terminated string.
+ * @flags: should be zero
+ *
+ * This function will pretty print the status of a verification
+ * process -- eg. the one obtained by gnutls_certificate_verify_peers3().
+ *
+ * The output @out needs to be deallocated using gnutls_free().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_certificate_verification_status_print (unsigned int status,
+ gnutls_certificate_type_t type,
+ gnutls_datum_t * out, unsigned int flags)
+{
+ gnutls_buffer_st str;
+ int ret;
+
+ _gnutls_buffer_init (&str);
+
+ if (type == GNUTLS_CRT_X509)
+ {
+ if (status == 0)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate is trusted\n"));
+ else
+ {
+ if (status & GNUTLS_CERT_INVALID)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate is NOT trusted\n"));
+
+ if (status & GNUTLS_CERT_REVOKED)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate chain revoked\n"));
+
+ if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
+ _gnutls_buffer_append_str (&str, _("- The revocation data provided by the peer are too old\n"));
+
+ if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
+ _gnutls_buffer_append_str (&str, _("- The revocation data provided by the peer are invalid\n"));
+
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate issuer is unknown\n"));
+
+ if (status & GNUTLS_CERT_SIGNER_NOT_CA)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate issuer is not a CA\n"));
+ }
+ }
+ else if (type == GNUTLS_CRT_OPENPGP)
+ {
+ if (status == 0)
+ _gnutls_buffer_append_str (&str, _("- Peer's key is valid\n"));
+
+ if (status & GNUTLS_CERT_INVALID)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate is invalid\n"));
+
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ _gnutls_buffer_append_str (&str, _("- Could not find a signer of the peer's certificate\n"));
+
+ if (status & GNUTLS_CERT_REVOKED)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate is revoked\n"));
+ }
+
+ if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate chain uses insecure algorithm\n"));
+
+ if (status & GNUTLS_CERT_NOT_ACTIVATED)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate chain uses not yet valid certificate\n"));
+
+ if (status & GNUTLS_CERT_EXPIRED)
+ _gnutls_buffer_append_str (&str, _("- Peer's certificate chain uses expired certificate\n"));
+
+ if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
+ _gnutls_buffer_append_str (&str, _("- The name in the certificate does not match the expected\n"));
+
+ ret = _gnutls_buffer_to_datum( &str, out);
+ if (out->size > 0) out->size--;
+
+ return ret;
+}
const char* hostname,
unsigned int *status);
+ int gnutls_certificate_verification_status_print (unsigned int status,
+ gnutls_certificate_type_t type,
+ gnutls_datum_t * out, unsigned int flags);
+
int gnutls_pem_base64_encode (const char *msg, const gnutls_datum_t * data,
char *result, size_t * result_size);
int gnutls_pem_base64_decode (const char *header,
gnutls_session_get_id2;
gnutls_certificate_update_verify_flags;
gnutls_certificate_verify_peers3;
+ gnutls_certificate_verification_status_print;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {
* %GNUTLS_CRT_PRINT_ONELINE format will generate one line with some
* selected fields, which is useful for logging purposes.
*
- * The output @out needs to be deallocate using gnutls_free().
+ * The output @out needs to be deallocated using gnutls_free().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
* This function will pretty print a X.509 certificate revocation
* list, suitable for display to a human.
*
- * The output @out needs to be deallocate using gnutls_free().
+ * The output @out needs to be deallocated using gnutls_free().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
* This function will pretty print a certificate request, suitable for
* display to a human.
*
- * The output @out needs to be deallocate using gnutls_free().
+ * The output @out needs to be deallocated using gnutls_free().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
{
int rc;
unsigned int status = 0;
+ gnutls_datum_t out;
int type;
rc = gnutls_certificate_verify_peers3 (session, hostname, &status);
}
type = gnutls_certificate_type_get (session);
- if (type == GNUTLS_CRT_X509)
- {
-
- if (status & GNUTLS_CERT_REVOKED)
- printf ("- Peer's certificate chain revoked\n");
- if (status & GNUTLS_CERT_REVOCATION_DATA_TOO_OLD)
- printf ("- The revocation data provided by the peer are too old\n");
- if (status & GNUTLS_CERT_REVOCATION_DATA_INVALID)
- printf ("- The revocation data provided by the peer are invalid\n");
- if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- printf ("- Peer's certificate issuer is unknown\n");
- if (status & GNUTLS_CERT_SIGNER_NOT_CA)
- printf ("- Peer's certificate issuer is not a CA\n");
- if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
- printf
- ("- Peer's certificate chain uses insecure algorithm\n");
- if (status & GNUTLS_CERT_NOT_ACTIVATED)
- printf
- ("- Peer's certificate chain uses not yet valid certificate\n");
- if (status & GNUTLS_CERT_EXPIRED)
- printf
- ("- Peer's certificate chain uses expired certificate\n");
- if (status & GNUTLS_CERT_INVALID)
- printf ("- Peer's certificate is NOT trusted\n");
- else
- printf ("- Peer's certificate is trusted\n");
- }
- else if (type == GNUTLS_CRT_OPENPGP)
- {
- if (status & GNUTLS_CERT_INVALID)
- printf ("- Peer's key is invalid\n");
- else
- printf ("- Peer's key is valid\n");
- if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- printf ("- Could not find a signer of the peer's key\n");
- }
- else
+ rc = gnutls_certificate_verification_status_print( status, type, &out, 0);
+ if (rc < 0)
{
- fprintf(stderr, "Unknown certificate type\n");
- status |= GNUTLS_CERT_INVALID;
+ printf ("- Could not print verification flags (err: %s)\n",
+ gnutls_strerror (rc));
+ return 0;
}
+ printf ("%s", out.data);
+
+ gnutls_free(out.data);
+
if (status)
return 0;