Added gnutls_x509pki_extract_certificate_serial() and some cleanups.

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2002-01-02 15:00:14 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2002-01-02 15:00:14 +0000
commit: 39e5de8077dd56137ff4388b3c0f8075981f9e56 (patch)
tree: f9c8db489c1424fd1bbd4a1bebd6af556dbaf606
parent: fb16dda5ff37e321a92523f79ecd030cf906dc53 (diff)
download: gnutls-39e5de8077dd56137ff4388b3c0f8075981f9e56.tar.gz
9 files changed, 152 insertions, 191 deletions
diff --git a/NEWS b/NEWS
index 735e52776c..c22883bba3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 Version ?.?.?
 - Corrected bug which did not allow a client to accept multiple CA names
-- Added gnutls_fingerprint_calc()
+- Added gnutls_fingerprint()
+- Added gnutls_x509pki_extract_certificate_serial()
 
 Version 0.3.1 (21/12/2001)
 - Corrections in the configuration files
diff --git a/lib/auth_x509.c b/lib/auth_x509.c
index da5376e0a8..55aeb1d8ef 100644
--- a/lib/auth_x509.c
+++ b/lib/auth_x509.c
@@ -1355,3 +1355,52 @@ int _gnutls_server_find_x509_cert_list_index(GNUTLS_STATE state,
 	state->gnutls_internals.selected_cert_index = index;
 	return index;
 }
+
+/**
+  * gnutls_x509pki_extract_certificate_serial - This function returns the certificate's serial number
+  * @cert: is an X.509 DER encoded certificate
+  * @result: The place where the serial number will be copied
+  * @result_size: Holds the size of the result field.
+  *
+  * This function will return the X.509 certificate's serial number. 
+  * This is obtained by the X509 Certificate serialNumber
+  * field. Serial is not always a 32 or 64bit number. Some CAs use
+  * large serial numbers, thus it may be wise to handle it as something
+  * opaque. 
+  * Returns a negative value in case of an error.
+  *
+  **/
+int gnutls_x509pki_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size)
+{
+	node_asn *c2;
+	int ret;
+
+	if (asn1_create_structure
+	    (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
+	     "certificate2")
+	    != ASN_OK) {
+		gnutls_assert();
+		return GNUTLS_E_ASN1_ERROR;
+	}
+
+	ret = asn1_get_der(c2, cert->data, cert->size);
+	if (ret != ASN_OK) {
+		/* couldn't decode DER */
+#ifdef DEBUG
+		_gnutls_log("Decoding error %d\n", result);
+#endif
+		gnutls_assert();
+		return GNUTLS_E_ASN1_PARSING_ERROR;
+	}
+
+	if ((ret = asn1_read_value(c2, "certificate2.tbsCertificate.serialNumber", result, result_size)) < 0) {
+		gnutls_assert();
+		asn1_delete_structure(c2);
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	asn1_delete_structure(c2);
+
+	return 0;
+
+}
diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in
index 30777d97fe..1dafb8b0d9 100644
--- a/lib/gnutls.h.in.in
+++ b/lib/gnutls.h.in.in
@@ -251,4 +251,4 @@ void gnutls_transport_set_pull_func( GNUTLS_STATE, GNUTLS_PULL_FUNC pull_func);
 size_t gnutls_record_get_max_size( GNUTLS_STATE state);
 size_t gnutls_record_set_max_size( GNUTLS_STATE state, size_t size);
 
-int gnutls_fingerprint_calc(GNUTLS_DigestAlgorithm algo, gnutls_datum data, char* result, int* result_size);
+int gnutls_fingerprint(GNUTLS_DigestAlgorithm algo, const gnutls_datum* data, char* result, int* result_size);
diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h
index e7c643b247..7c9a0e8d07 100644
--- a/lib/gnutls_algorithms.h
+++ b/lib/gnutls_algorithms.h
@@ -38,7 +38,6 @@ int   _gnutls_mac_priority(GNUTLS_STATE state, MACAlgorithm algorithm);
 int   _gnutls_mac_count();
 
 /* functions for cipher suites */
-int   _gnutls_cipher_suite_is_ok(GNUTLS_CipherSuite algorithm);
 int   _gnutls_supported_ciphersuites(GNUTLS_STATE state, GNUTLS_CipherSuite **ciphers);
 int   _gnutls_supported_ciphersuites_sorted(GNUTLS_STATE state, GNUTLS_CipherSuite **ciphers);
 int   _gnutls_supported_compression_methods(GNUTLS_STATE state, uint8 **comp);
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index 059e608823..3a7bc7ce68 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -172,20 +172,20 @@ int gnutls_x509pki_get_certificate_request_status(GNUTLS_STATE state)
 
 
 /**
-  * gnutls_fingerprint_calc - This function calculates the fingerprint of the given data
+  * gnutls_fingerprint - This function calculates the fingerprint of the given data
   * @algo: is a digest algorithm
   * @data: is the data
   * @result: is the place where the result will be copied. 
   * @result_size: should hold the size of the result. The actual size
   * of the returned result will also be copied there.
   *
-  * This function will calculate a fingerprint (actually hash), of the
-  * given data. The result is not printable data. You should convert
-  * it to hex, or something else printable.
+  * This function will calculate a fingerprint (actually a hash), of the
+  * given data. The result is not printable data. You should convert it
+  * to hex, or to something else printable.
   * Returns a negative value in case of an error.
   *
   **/
-int gnutls_fingerprint_calc(DigestAlgorithm algo, gnutls_datum data, char* result, int* result_size)
+int gnutls_fingerprint(DigestAlgorithm algo, const gnutls_datum* data, char* result, int* result_size)
 {
 	GNUTLS_HASH_HANDLE td;
 	int hash_len = gnutls_hash_get_algo_len(algo);
@@ -199,7 +199,7 @@ int gnutls_fingerprint_calc(DigestAlgorithm algo, gnutls_datum data, char* resul
 	td = gnutls_hash_init( algo);
 	if (td==NULL) return GNUTLS_E_HASH_FAILED;
 	
-	gnutls_hash( td, data.data, data.size);
+	gnutls_hash( td, data->data, data->size);
 	
 	gnutls_hash_deinit( td, result);
 		
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 9f3af78108..1dd4dc1ea0 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -69,6 +69,7 @@ int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*);
 int gnutls_x509pki_extract_certificate_dn( const gnutls_datum*, gnutls_DN*);
 int gnutls_x509pki_extract_certificate_issuer_dn(  const gnutls_datum*, gnutls_DN *);
 int gnutls_x509pki_extract_certificate_version( const gnutls_datum*);
+int gnutls_x509pki_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size);
 time_t gnutls_x509pki_extract_certificate_activation_time( const gnutls_datum*);
 time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum*);
 int gnutls_x509pki_extract_subject_dns_name( const gnutls_datum*, char*, int*);
diff --git a/src/cli.c b/src/cli.c
index 255e4ed73f..8446bd577f 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -53,88 +53,6 @@
 #define CLIKEYFILE "x509/clikey.pem"
 #define CLICERTFILE "x509/clicert.pem"
 
-static int print_info( GNUTLS_STATE state) {
-const char *tmp;
-CredType cred;
-gnutls_DN dn;
-const gnutls_datum* cert_list;
-CertificateStatus status;
-int cert_list_size = 0;
-
-	tmp = gnutls_kx_get_name(gnutls_kx_get_algo( state));
-	printf("- Key Exchange: %s\n", tmp);
-
-	cred = gnutls_auth_get_type(state);
-	switch(cred) {
-		case GNUTLS_ANON:
-			printf("- Anonymous DH using prime of %d bits\n",
-			       gnutls_anon_client_get_dh_bits( state));
-			break;
-		case GNUTLS_X509PKI:
-			cert_list = gnutls_x509pki_client_get_peer_certificate_list( state, &cert_list_size);
-			status = gnutls_x509pki_client_get_peer_certificate_status( state);
-			
-			switch( status) {
-			case GNUTLS_CERT_NOT_TRUSTED:
-				printf("- Peer's X509 Certificate was NOT verified\n");
-				break;
-			case GNUTLS_CERT_EXPIRED:
-				printf("- Peer's X509 Certificate was verified but is expired\n");
-				break;
-			case GNUTLS_CERT_TRUSTED:
-				printf("- Peer's X509 Certificate was verified\n");
-				break;
-			case GNUTLS_CERT_NONE:
-				printf("- Peer did not send any X509 Certificate.\n");
-				break;
-			case GNUTLS_CERT_INVALID:
-				printf("- Peer's X509 Certificate was invalid\n");
-				break;
-			}
-			
-			if (cert_list_size > 0) {
-				char digest[20];
-				int digest_size = sizeof(digest), i;
-				char printable[120];
-				char* print;
-
-				printf(" - Certificate info:\n");
-				
-				if ( gnutls_fingerprint_calc( GNUTLS_DIG_MD5, cert_list[0], digest, &digest_size) >= 0) {
-					print = printable;
-					for (i=0;i<digest_size;i++) {
-						sprintf( print, "%.2x ", (unsigned char)digest[i]);
-						print += 3;
-					}
-					printf(" - Certificate fingerprint: %s\n", printable);
-				}
-
-				printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0]));
-
-				gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn);
-				PRINT_DN( dn);
-
-				gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn);
-				printf(" - Certificate Issuer's info:\n");
-				PRINT_DN( dn);
-			}
-	}
-
-	tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state));
-	printf("- Version: %s\n", tmp);
-
-	tmp = gnutls_compression_get_name(gnutls_compression_get_algo( state));
-	printf("- Compression: %s\n", tmp);
-
-	tmp = gnutls_cipher_get_name(gnutls_cipher_get_algo( state));
-	printf("- Cipher: %s\n", tmp);
-
-	tmp = gnutls_mac_get_name(gnutls_mac_get_algo( state));
-	printf("- MAC: %s\n", tmp);
-
-	return 0;
-}
-
 static int cert_callback( GNUTLS_STATE state, const gnutls_datum *client_certs, int ncerts, const gnutls_datum* req_ca_cert, int nreqs) {
 
 	if (client_certs==NULL) {
diff --git a/src/common.h b/src/common.h
index 7a0dc0963d..cc616c2494 100644
--- a/src/common.h
+++ b/src/common.h
@@ -9,3 +9,96 @@
 	PRINTX( "S:", X.state_or_province_name); \
 	PRINTX( "C:", X.country); \
 	PRINTX( "E:", X.email)
+
+static int print_info( GNUTLS_STATE state) {
+const char *tmp;
+CredType cred;
+gnutls_DN dn;
+const gnutls_datum* cert_list;
+CertificateStatus status;
+int cert_list_size = 0;
+
+	tmp = gnutls_kx_get_name(gnutls_kx_get_algo( state));
+	printf("- Key Exchange: %s\n", tmp);
+
+	cred = gnutls_auth_get_type(state);
+	switch(cred) {
+		case GNUTLS_ANON:
+			printf("- Anonymous DH using prime of %d bits\n",
+			       gnutls_anon_client_get_dh_bits( state));
+			break;
+		case GNUTLS_X509PKI:
+			cert_list = gnutls_x509pki_client_get_peer_certificate_list( state, &cert_list_size);
+			status = gnutls_x509pki_client_get_peer_certificate_status( state);
+			
+			switch( status) {
+			case GNUTLS_CERT_NOT_TRUSTED:
+				printf("- Peer's X509 Certificate was NOT verified\n");
+				break;
+			case GNUTLS_CERT_EXPIRED:
+				printf("- Peer's X509 Certificate was verified but is expired\n");
+				break;
+			case GNUTLS_CERT_TRUSTED:
+				printf("- Peer's X509 Certificate was verified\n");
+				break;
+			case GNUTLS_CERT_NONE:
+				printf("- Peer did not send any X509 Certificate.\n");
+				break;
+			case GNUTLS_CERT_INVALID:
+				printf("- Peer's X509 Certificate was invalid\n");
+				break;
+			}
+			
+			if (cert_list_size > 0) {
+				char digest[20];
+				char serial[40];
+				int digest_size = sizeof(digest), i;
+				int serial_size = sizeof(serial);
+				char printable[120];
+				char* print;
+
+				printf(" - Certificate info:\n");
+				
+				if ( gnutls_fingerprint( GNUTLS_DIG_MD5, &cert_list[0], digest, &digest_size) >= 0) {
+					print = printable;
+					for (i=0;i<digest_size;i++) {
+						sprintf( print, "%.2x ", (unsigned char)digest[i]);
+						print += 3;
+					}
+					printf(" - Certificate fingerprint: %s\n", printable);
+				}
+
+				if ( gnutls_x509pki_extract_certificate_serial( &cert_list[0], serial, &serial_size) >= 0) {
+					print = printable;
+					for (i=0;i<serial_size;i++) {
+						sprintf( print, "%.2x ", (unsigned char)serial[i]);
+						print += 3;
+					}
+					printf(" - Certificate serial number: %s\n", printable);
+				}
+
+				printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0]));
+
+				gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn);
+				PRINT_DN( dn);
+
+				gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn);
+				printf(" - Certificate Issuer's info:\n");
+				PRINT_DN( dn);
+			}
+	}
+
+	tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state));
+	printf("- Version: %s\n", tmp);
+
+	tmp = gnutls_compression_get_name(gnutls_compression_get_algo( state));
+	printf("- Compression: %s\n", tmp);
+
+	tmp = gnutls_cipher_get_name(gnutls_cipher_get_algo( state));
+	printf("- Cipher: %s\n", tmp);
+
+	tmp = gnutls_mac_get_name(gnutls_mac_get_algo( state));
+	printf("- MAC: %s\n", tmp);
+
+	return 0;
+}
diff --git a/src/serv.c b/src/serv.c
index 94c4f82840..0a8aa1a675 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -105,106 +105,6 @@ GNUTLS_STATE initialize_state()
 	return state;
 }
 
-
-void print_info(GNUTLS_STATE state)
-{
-	const char *tmp;
-	const gnutls_datum * cert_list;
-	unsigned char sesid[32];
-	int sesid_size, i;
-	gnutls_DN dn;
-	CredType cred;
-	CertificateStatus status;
-	int cert_list_size = 0;
-	
-	/* print session_id specific data */
-	gnutls_session_get_id( state, sesid, &sesid_size);
-	printf("\n- Session ID: ");
-	for(i=0;i<sesid_size;i++)
-		printf("%.2X", sesid[i]);
-	printf("\n");
-
-	/* we could also use the KX algorithm to distinguish the functions
-	 * to call, but this is easier.
-	 */
-	cred = gnutls_auth_get_type(state);
-
-	switch(cred) {
-		case GNUTLS_SRP:
-			/* print srp specific data */
-			printf("\n- User '%s' connected\n",
-			       gnutls_srp_server_get_username( state));
-			break;
-		case GNUTLS_ANON:
-			printf("\n- Anonymous DH using prime of %d bits\n",
-			        gnutls_anon_server_get_dh_bits( state));
-			break;
-
-		case GNUTLS_X509PKI: 
-			cert_list = gnutls_x509pki_server_get_peer_certificate_list( state, &cert_list_size);
-			status = gnutls_x509pki_server_get_peer_certificate_status( state);
-			
-			switch( status) {
-			case GNUTLS_CERT_NOT_TRUSTED:
-				printf("- Peer's X509 Certificate was NOT verified\n");
-				break;
-			case GNUTLS_CERT_EXPIRED:
-				printf("- Peer's X509 Certificate was verified but is expired\n");
-				break;
-			case GNUTLS_CERT_TRUSTED:
-				printf("- Peer's X509 Certificate was verified\n");
-				break;
-			case GNUTLS_CERT_NONE:
-				printf("- Peer did not send any certificate.\n");
-				break;
-			case GNUTLS_CERT_INVALID:
-				printf("- Peer's X509 Certificate was invalid\n");
-				break;
-			}
-		
-			if (gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_RSA || gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_DSS) {
-				printf("\n- Ephemeral DH using prime of %d bits\n",
-			        gnutls_x509pki_server_get_dh_bits( state));
-			}
-
-			if (cert_list_size > 0) {
-				printf(" - Certificate info:\n");
-				printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0]));
-
-				if ( gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn) >= 0) {
-					PRINT_DN( dn);
-				}
-				
-				if (gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn) >= 0) {
-					printf(" - Certificate Issuer's info:\n");
-					PRINT_DN( dn);
-				}
-			}
-	}
-
-
-	/* print state information */
-
-	tmp = gnutls_protocol_get_name( gnutls_protocol_get_version(state));
-	printf("- Version: %s\n", tmp);
-
-	tmp = gnutls_kx_get_name(gnutls_kx_get_algo(state));
-	printf("- Key Exchange: %s\n", tmp);
-
-	tmp =
-	    gnutls_compression_get_name
-	    (gnutls_compression_get_algo(state));
-	printf("- Compression: %s\n", tmp);
-
-	tmp = gnutls_cipher_get_name(gnutls_cipher_get_algo(state));
-	printf("- Cipher: %s\n", tmp);
-
-	tmp = gnutls_mac_get_name(gnutls_mac_get_algo(state));
-	printf("- MAC: %s\n", tmp);
-
-
-}
-
 /* Creates html with the current state information.
  */
 #define tmp2 &http_buffer[strlen(http_buffer)]
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2002-01-02 15:00:14 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2002-01-02 15:00:14 +0000
commit	39e5de8077dd56137ff4388b3c0f8075981f9e56 (patch)
tree	f9c8db489c1424fd1bbd4a1bebd6af556dbaf606
parent	fb16dda5ff37e321a92523f79ecd030cf906dc53 (diff)
download	gnutls-39e5de8077dd56137ff4388b3c0f8075981f9e56.tar.gz