int fingerprint;
int crlf;
unsigned int verbose = 0;
-extern int print_cert;
+int print_cert;
#define DEFAULT_CA_FILE "/etc/ssl/certs/ca-certificates.crt"
cert, 0);
if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND)
{
- print_cert_info(session, GNUTLS_CRT_PRINT_COMPACT);
+ print_cert_info(session, GNUTLS_CRT_PRINT_COMPACT, 0);
fprintf(stderr, "Host %s has never been contacted before and is not in the trusted list.\n", hostname);
if (status == 0)
fprintf(stderr, "Its certificate is valid for %s.\n", hostname);
}
else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH)
{
- print_cert_info(session, GNUTLS_CRT_PRINT_COMPACT);
+ print_cert_info(session, GNUTLS_CRT_PRINT_COMPACT, 0);
fprintf(stderr, "Warning: host %s is known and it is associated with a different key.\n", hostname);
fprintf(stderr, "It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n");
if (status == 0)
priorities = OPT_ARG(PRIORITY);
}
verbose = HAVE_OPT( VERBOSE);
+ if (verbose)
+ print_cert = 1;
+ else
+ print_cert = HAVE_OPT( PRINT_CERT);
if (HAVE_OPT(LIST))
{
}
disable_extensions = HAVE_OPT( DISABLE_EXTENSIONS);
- print_cert = HAVE_OPT( PRINT_CERT);
starttls = HAVE_OPT(STARTTLS);
resume = HAVE_OPT(RESUME);
rehandshake = HAVE_OPT(REHANDSHAKE);
if (ret == 0)
{
/* print some information */
- print_info (socket->session);
+ print_info (socket->session, print_cert);
socket->secure = 1;
}
else
}
-/* Returns:
+/* OCSP check for the peer's certificate. Should be called
+ * only after the certificate list verication is complete.
+ * Returns:
* 0: certificate is revoked
* 1: certificate is ok
* -1: dunno
}
/* verify and check the response for revoked cert */
- ret = check_ocsp_response(xcred, &resp);
+ ret = check_ocsp_response(issuer, &resp);
cleanup:
if (deinit_issuer)
#define SU(x) (x!=NULL?x:"Unknown")
-int print_cert;
extern int verbose;
const char str_unknown[] = "(unknown)";
}
static void
-print_x509_info (gnutls_session_t session, int flag)
+print_x509_info (gnutls_session_t session, int flag, int print_cert)
{
gnutls_x509_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0, j;
int ret;
- if (flag == GNUTLS_CRT_PRINT_COMPACT)
+ if (flag == GNUTLS_CRT_PRINT_COMPACT && print_cert == 0)
return print_x509_info_compact(session, flag);
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
}
static void
-print_openpgp_info (gnutls_session_t session, int flag)
+print_openpgp_info (gnutls_session_t session, int flag, int print_cert)
{
gnutls_openpgp_crt_t crt;
unsigned int cert_list_size = 0;
int ret;
- if (flag == GNUTLS_CRT_PRINT_COMPACT)
+ if (flag == GNUTLS_CRT_PRINT_COMPACT && print_cert == 0)
print_openpgp_info_compact(session, flag);
printf (" - Certificate type: OpenPGP\n");
}
static void
-print_dh_info (gnutls_session_t session, const char *str)
+print_dh_info (gnutls_session_t session, const char *str, int print)
{
printf ("- %sDiffie-Hellman parameters\n", str);
printf (" - Using prime: %d bits\n",
printf (" - Peer's public key: %d bits\n",
gnutls_dh_get_peers_public_bits (session));
- if (print_cert)
+ if (print)
{
int ret;
gnutls_datum_t raw_gen = { NULL, 0 };
}
int
-print_info (gnutls_session_t session)
+print_info (gnutls_session_t session, int print_cert)
{
const char *tmp;
gnutls_credentials_type_t cred;
if (kx == GNUTLS_KX_ANON_ECDH)
print_ecdh_info (session, "Anonymous ");
else
- print_dh_info (session, "Anonymous ");
+ print_dh_info (session, "Anonymous ", verbose);
break;
#endif
#ifdef ENABLE_SRP
printf ("- PSK authentication. Connected as '%s'\n",
gnutls_psk_server_get_username (session));
if (kx == GNUTLS_KX_DHE_PSK)
- print_dh_info (session, "Ephemeral ");
+ print_dh_info (session, "Ephemeral ", verbose);
if (kx == GNUTLS_KX_ECDHE_PSK)
print_ecdh_info (session, "Ephemeral ");
break;
}
}
- print_cert_info (session, verbose?GNUTLS_CRT_PRINT_FULL:GNUTLS_CRT_PRINT_COMPACT);
+ print_cert_info (session,
+ verbose?GNUTLS_CRT_PRINT_FULL:GNUTLS_CRT_PRINT_COMPACT,
+ print_cert);
if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS)
- print_dh_info (session, "Ephemeral ");
+ print_dh_info (session, "Ephemeral ", verbose);
else if (kx == GNUTLS_KX_ECDHE_RSA
|| kx == GNUTLS_KX_ECDHE_ECDSA)
print_ecdh_info (session, "Ephemeral ");
}
void
-print_cert_info (gnutls_session_t session, int flag)
+print_cert_info (gnutls_session_t session, int flag, int print_cert)
{
if (gnutls_certificate_client_get_request_status (session) != 0)
switch (gnutls_certificate_type_get (session))
{
case GNUTLS_CRT_X509:
- print_x509_info (session, flag);
+ print_x509_info (session, flag, print_cert);
break;
#ifdef ENABLE_OPENPGP
case GNUTLS_CRT_OPENPGP:
- print_openpgp_info (session, flag);
+ print_openpgp_info (session, flag, print_cert);
break;
#endif
default:
extern const char str_unknown[];
-int print_info (gnutls_session_t state);
-void print_cert_info (gnutls_session_t, int flag);
+int print_info (gnutls_session_t state, int print_cert);
+void print_cert_info (gnutls_session_t, int flag, int print_cert);
void print_list (const char* priorities, int verbose);
int cert_verify (gnutls_session_t session, const char* hostname);
* -1: dunno
*/
int
-check_ocsp_response (gnutls_certificate_credentials xcred,
- gnutls_datum_t *data)
+check_ocsp_response (gnutls_x509_crt_t issuer,
+ gnutls_datum_t *data)
{
gnutls_ocsp_resp_t resp;
int ret;
unsigned int status, cert_status;
- time_t rtime;
+ time_t rtime, ttime;
ret = gnutls_ocsp_resp_init (&resp);
if (ret < 0)
if (ret < 0)
error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret));
- ret = gnutls_ocsp_resp_verify_cred (resp, xcred, &status, 0);
+ ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0);
if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s",
- gnutls_strerror (ret));
+ error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify_direct: %s",
+ gnutls_strerror (ret));
+
+ if (status != 0)
+ {
+ printf ("*** Verifying OCSP Response: ");
+ print_ocsp_verify_res (status);
+ printf (".\n");
+ }
- printf ("Verifying OCSP Response: ");
- print_ocsp_verify_res (status);
- printf (".\n");
-
/* do not print revocation data if response was not verified */
if (status != 0)
{
}
ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
- &cert_status, NULL, NULL, &rtime, NULL);
+ &cert_status, &ttime, NULL, &rtime, NULL);
if (ret < 0)
error (EXIT_FAILURE, 0, "reading response: %s", gnutls_strerror (ret));
if (cert_status == GNUTLS_OCSP_CERT_REVOKED)
{
- printf("Certificate was revoked at %s\n", ctime(&rtime));
+ printf("*** Certificate was revoked at %s", ctime(&rtime));
ret = 0;
goto cleanup;
}
+ printf("- OCSP server flags certificate not revoked as of %s", ctime(&ttime));
ret = 1;
cleanup:
gnutls_ocsp_resp_deinit (resp);
print_ocsp_verify_res (unsigned int output);
int
-check_ocsp_response (gnutls_certificate_credentials xcred,
- gnutls_datum_t *data);
+check_ocsp_response (gnutls_x509_crt_t issuer, gnutls_datum_t *data);
#endif
if (ret < 0)
error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret));
- if (!HAVE_OPT(LOAD_SIGNER) && HAVE_OPT(LOAD_TRUST))
+ if (HAVE_OPT(LOAD_TRUST))
{
dat.data = (void*)read_binary_file (OPT_ARG(LOAD_TRUST), &size);
if (dat.data == NULL)
error (EXIT_FAILURE, 0, "error parsing CAs: %s",
gnutls_strerror (ret));
-#if 0
if (HAVE_OPT(VERBOSE))
{
unsigned int i;
+ printf ("Trust anchors:\n");
for (i = 0; i < x509_ncas; i++)
{
gnutls_datum_t out;
error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s",
gnutls_strerror (ret));
- printf ("Trust anchor %d: %.*s\n", i, out.size, out.data);
+ printf ("%d: %.*s\n", i, out.size, out.data);
gnutls_free (out.data);
}
+ printf("\n");
}
-#endif
ret = gnutls_x509_trust_list_add_cas (list, x509_ca_list, x509_ncas, 0);
if (ret < 0)
if (HAVE_OPT(VERBOSE))
fprintf (stdout, "Loaded %d trust anchors\n", x509_ncas);
+{
+FILE* f=fopen("resp.der", "w");
+fwrite(data->data, 1, data->size, f);
+fclose(f);
+}
+
ret = gnutls_ocsp_resp_verify (resp, list, &verify, 0);
if (ret < 0)
error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s",
gnutls_strerror (ret));
}
- else if (!HAVE_OPT(LOAD_TRUST) && HAVE_OPT(LOAD_SIGNER))
+ else if (HAVE_OPT(LOAD_SIGNER))
{
ret = gnutls_x509_crt_init (&signer);
if (ret < 0)
printf ("Signer: %.*s\n", out.size, out.data);
gnutls_free (out.data);
+ printf("\n");
}
ret = gnutls_ocsp_resp_verify_direct (resp, signer, &verify, 0);
human_addr ((struct sockaddr *)
&client_address, calen, topbuf,
sizeof (topbuf)));
- print_info (j->tls_session);
+ print_info (j->tls_session, verbose);
cert_verify(j->tls_session, NULL);
}
j->handshake_ok = 1;
&client_address, calen, topbuf,
sizeof (topbuf)));
- print_info (j->tls_session);
+ print_info (j->tls_session, verbose);
cert_verify(j->tls_session, NULL);
}
j->handshake_ok = 1;
return ret;
printf ("\n");
- print_cert_info (session, GNUTLS_CRT_PRINT_FULL);
+ print_cert_info (session, GNUTLS_CRT_PRINT_FULL, verbose);
return TEST_SUCCEED;
}