The verification function will verify a given certificate chain against a list of certificate
authorities and certificate revocation lists, and output
a bit-wise OR of elements of the @code{gnutls_@-certificate_@-status_t}
-enumeration shown in @ref{gnutls_certificate_status_t}.
+enumeration shown in @ref{gnutls_certificate_status_t}. The @code{GNUTLS_@-CERT_@-INVALID} flag
+is always set on a verification error and more detailed flags will also be set when appropriate.
@showenumdesc{gnutls_certificate_status_t,The @code{gnutls_@-certificate_@-status_t} enumeration.}
Then it is not required to setup a trusted list as above.
The function @funcref{gnutls_certificate_verify_peers2}
-may then be used to verify the peer's certificate chain.
+may then be used to verify the peer's certificate chain. The flags
+are set similarly to the verification functions in the previous section.
There is also the possibility to pass some input to the verification
functions in the form of flags. For @funcref{gnutls_x509_trust_list_verify_crt} the
@menu
* General idea::
* Error handling::
+* Common types::
* Debugging and auditing::
* Thread safety::
* Callback functions::
reference. See @ref{Error codes}, for a description of the available
error codes.
+@node Common types
+@subsection Common types
+
+Several functions in @acronym{GnuTLS} use @code{gnutls_datum_t} which is
+convenient way to combine a pointer to data and data's size. Its definition is
+shown below.
+@verbatim
+ typedef struct
+ {
+ unsigned char *data;
+ unsigned int size;
+ } gnutls_datum_t;
+@end verbatim
+
+Other functions that require data for scattered read use a structure similar
+to @code{struct iovec} typically used by @funcintref{readv}. It is shown
+below.
+@verbatim
+ typedef struct
+ {
+ void *iov_base; /* Starting address */
+ size_t iov_len; /* Number of bytes to transfer */
+ } giovec_t;
+@end verbatim
+
+
@node Debugging and auditing
@subsection Debugging and auditing
Unless in one of the above cases, do not use anonymous authentication.
The available key exchange algorithms for anonymous authentication are
-shown below.
+shown below, but note that few public servers support them. They typically
+have to be explicitly enabled.
@table @code
return GNUTLS_E_CERTIFICATE_ERROR;
}
- if (status & GNUTLS_CERT_INVALID)
- printf ("The certificate is not trusted.\n");
-
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
printf ("The certificate hasn't got a known issuer.\n");
if (status & GNUTLS_CERT_NOT_ACTIVATED)
printf ("The certificate is not yet activated\n");
+ if (status & GNUTLS_CERT_INVALID)
+ {
+ printf ("The certificate is not trusted.\n");
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
/* Up to here the process is the same for X.509 certificates and
* OpenPGP keys. From now on X.509 certificates are assumed. This can
* be easily extended to work with openpgp keys as well.
return GNUTLS_E_CERTIFICATE_ERROR;
}
- /* This is not a real world example, since we only check the first
- * certificate in the given chain.
- */
if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
printf ("error parsing certificate\n");