diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-04-24 15:11:00 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-04-24 15:11:03 +0200 |
| commit | efa68504b3308f2aea79ef6cb1dcf3034ecbc93f (patch) | |
| tree | bfc3913fd1c77fdd475daf3aa54493bc01b38144 /doc/examples/ex-verify.c | |
| parent | 6199cb7c9c4517a73de9a33a2f2feb173b7f05e2 (diff) | |
| download | gnutls-efa68504b3308f2aea79ef6cb1dcf3034ecbc93f.tar.gz | |
examples: added error checks and updated verify_certificate_chain()
Diffstat (limited to 'doc/examples/ex-verify.c')
| -rw-r--r-- | doc/examples/ex-verify.c | 50 |
1 files changed, 26 insertions, 24 deletions
diff --git a/doc/examples/ex-verify.c b/doc/examples/ex-verify.c index 45618b9fe9..0aa9922f81 100644 --- a/doc/examples/ex-verify.c +++ b/doc/examples/ex-verify.c @@ -7,11 +7,14 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <assert.h> #include <gnutls/gnutls.h> #include <gnutls/x509.h> #include "examples.h" +#define CHECK(x) assert((x)>=0) + /* All the available CRLs */ gnutls_x509_crl_t *crl_list; @@ -38,18 +41,18 @@ verify_certificate_chain(const char *hostname, int i; gnutls_x509_trust_list_t tlist; gnutls_x509_crt_t *cert; - + gnutls_datum_t txt; unsigned int output; /* Initialize the trusted certificate list. This should be done * once on initialization. gnutls_x509_crt_list_import2() and * gnutls_x509_crl_list_import2() can be used to load them. */ - gnutls_x509_trust_list_init(&tlist, 0); + CHECK(gnutls_x509_trust_list_init(&tlist, 0)); - gnutls_x509_trust_list_add_cas(tlist, ca_list, ca_list_size, 0); - gnutls_x509_trust_list_add_crls(tlist, crl_list, crl_list_size, - GNUTLS_TL_VERIFY_CRL, 0); + CHECK(gnutls_x509_trust_list_add_cas(tlist, ca_list, ca_list_size, 0)); + CHECK(gnutls_x509_trust_list_add_crls(tlist, crl_list, crl_list_size, + GNUTLS_TL_VERIFY_CRL, 0)); cert = malloc(sizeof(*cert) * cert_chain_length); @@ -57,39 +60,38 @@ verify_certificate_chain(const char *hostname, * native certificate format. */ for (i = 0; i < cert_chain_length; i++) { - gnutls_x509_crt_init(&cert[i]); - gnutls_x509_crt_import(cert[i], &cert_chain[i], - GNUTLS_X509_FMT_DER); + CHECK(gnutls_x509_crt_init(&cert[i])); + CHECK(gnutls_x509_crt_import(cert[i], &cert_chain[i], + GNUTLS_X509_FMT_DER)); } - gnutls_x509_trust_list_verify_named_crt(tlist, cert[0], hostname, + CHECK(gnutls_x509_trust_list_verify_named_crt(tlist, cert[0], + hostname, strlen(hostname), GNUTLS_VERIFY_DISABLE_CRL_CHECKS, &output, - print_details_func); + print_details_func)); /* if this certificate is not explicitly trusted verify against CAs */ if (output != 0) { - gnutls_x509_trust_list_verify_crt(tlist, cert, + CHECK(gnutls_x509_trust_list_verify_crt(tlist, cert, cert_chain_length, 0, &output, - print_details_func); + print_details_func)); } + + if (output & GNUTLS_CERT_INVALID) { - fprintf(stderr, "Not trusted"); - - if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) - fprintf(stderr, ": no issuer was found"); - if (output & GNUTLS_CERT_SIGNER_NOT_CA) - fprintf(stderr, ": issuer is not a CA"); - if (output & GNUTLS_CERT_NOT_ACTIVATED) - fprintf(stderr, ": not yet activated\n"); - if (output & GNUTLS_CERT_EXPIRED) - fprintf(stderr, ": expired\n"); - - fprintf(stderr, "\n"); + fprintf(stderr, "Not trusted\n"); + CHECK(gnutls_certificate_verification_status_print( + output, + GNUTLS_CRT_X509, + &txt, 0)); + + fprintf(stderr, "Error: %s\n", txt.data); + gnutls_free(txt.data); } else fprintf(stderr, "Trusted\n"); |