doc/examples/ex-verify.c

   1 /* This example code is placed in the public domain. */
   2
   3 #ifdef HAVE_CONFIG_H
   4 #include <config.h>
   5 #endif
   6
   7 #include <stdio.h>
   8 #include <stdlib.h>
   9 #include <gnutls/gnutls.h>
  10 #include <gnutls/x509.h>
  11
  12 #include "examples.h"
  13
  14 /* All the available CRLs
  15  */
  16 gnutls_x509_crl_t *crl_list;
  17 int crl_list_size;
  18
  19 /* All the available trusted CAs
  20  */
  21 gnutls_x509_crt_t *ca_list;
  22 int ca_list_size;
  23
  24 static void verify_cert2 (gnutls_x509_crt_t crt,
  25                           gnutls_x509_crt_t issuer,
  26                           gnutls_x509_crl_t * crl_list, int crl_list_size);
  27 static void verify_last_cert (gnutls_x509_crt_t crt,
  28                               gnutls_x509_crt_t * ca_list, int ca_list_size,
  29                               gnutls_x509_crl_t * crl_list,
  30                               int crl_list_size);
  31
  32
  33 /* This function will try to verify the peer's certificate chain, and
  34  * also check if the hostname matches, and the activation, expiration dates.
  35  */
  36 void
  37 verify_certificate_chain (gnutls_session_t session,
  38                           const char *hostname,
  39                           const gnutls_datum_t * cert_chain,
  40                           int cert_chain_length)
  41 {
  42   int i;
  43   gnutls_x509_crt_t *cert;
  44
  45   cert = malloc (sizeof (*cert) * cert_chain_length);
  46
  47   /* Import all the certificates in the chain to
  48    * native certificate format.
  49    */
  50   for (i = 0; i < cert_chain_length; i++)
  51     {
  52       gnutls_x509_crt_init (&cert[i]);
  53       gnutls_x509_crt_import (cert[i], &cert_chain[i], GNUTLS_X509_FMT_DER);
  54     }
  55
  56   /* If the last certificate in the chain is self signed ignore it.
  57    * That is because we want to check against our trusted certificate
  58    * list.
  59    */
  60   if (gnutls_x509_crt_check_issuer (cert[cert_chain_length - 1],
  61                                     cert[cert_chain_length - 1]) > 0
  62       && cert_chain_length > 0)
  63     {
  64       cert_chain_length--;
  65     }
  66
  67   /* Now verify the certificates against their issuers
  68    * in the chain.
  69    */
  70   for (i = 1; i < cert_chain_length; i++)
  71     {
  72       verify_cert2 (cert[i - 1], cert[i], crl_list, crl_list_size);
  73     }
  74
  75   /* Here we must verify the last certificate in the chain against
  76    * our trusted CA list.
  77    */
  78   verify_last_cert (cert[cert_chain_length - 1],
  79                     ca_list, ca_list_size, crl_list, crl_list_size);
  80
  81   /* Check if the name in the first certificate matches our destination!
  82    */
  83   if (!gnutls_x509_crt_check_hostname (cert[0], hostname))
  84     {
  85       printf ("The certificate's owner does not match hostname '%s'\n",
  86               hostname);
  87     }
  88
  89   for (i = 0; i < cert_chain_length; i++)
  90     gnutls_x509_crt_deinit (cert[i]);
  91
  92   return;
  93 }
  94
  95
  96 /* Verifies a certificate against an other certificate
  97  * which is supposed to be it's issuer. Also checks the
  98  * crl_list if the certificate is revoked.
  99  */
 100 static void
 101 verify_cert2 (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
 102               gnutls_x509_crl_t * crl_list, int crl_list_size)
 103 {
 104   unsigned int output;
 105   int ret;
 106   size_t name_size;
 107   char name[64];
 108
 109   /* Print information about the certificates to
 110    * be checked.
 111    */
 112   name_size = sizeof (name);
 113   gnutls_x509_crt_get_dn (crt, name, &name_size);
 114
 115   fprintf (stderr, "\nCertificate: %s\n", name);
 116
 117   name_size = sizeof (name);
 118   gnutls_x509_crt_get_issuer_dn (crt, name, &name_size);
 119
 120   fprintf (stderr, "Issued by: %s\n", name);
 121
 122   /* Get the DN of the issuer cert.
 123    */
 124   name_size = sizeof (name);
 125   gnutls_x509_crt_get_dn (issuer, name, &name_size);
 126
 127   fprintf (stderr, "Checking against: %s\n", name);
 128
 129   /* Do the actual verification.
 130    */
 131   gnutls_x509_crt_verify (crt, &issuer, 1, 0, &output);
 132
 133   if (output & GNUTLS_CERT_INVALID)
 134     {
 135       fprintf (stderr, "Not trusted");
 136
 137       if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
 138         fprintf (stderr, ": no issuer was found");
 139       if (output & GNUTLS_CERT_SIGNER_NOT_CA)
 140         fprintf (stderr, ": issuer is not a CA");
 141       if (output & GNUTLS_CERT_NOT_ACTIVATED)
 142         fprintf (stderr, ": not yet activated\n");
 143       if (output & GNUTLS_CERT_EXPIRED)
 144         fprintf (stderr, ": expired\n");
 145
 146       fprintf (stderr, "\n");
 147     }
 148   else
 149     fprintf (stderr, "Trusted\n");
 150
 151   /* Check if the certificate is revoked.
 152    */
 153   ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
 154   if (ret == 1)
 155     {                           /* revoked */
 156       fprintf (stderr, "Revoked\n");
 157     }
 158 }
 159
 160
 161 /* Verifies a certificate against our trusted CA list.
 162  * Also checks the crl_list if the certificate is revoked.
 163  */
 164 static void
 165 verify_last_cert (gnutls_x509_crt_t crt,
 166                   gnutls_x509_crt_t * ca_list, int ca_list_size,
 167                   gnutls_x509_crl_t * crl_list, int crl_list_size)
 168 {
 169   unsigned int output;
 170   int ret;
 171   size_t name_size;
 172   char name[64];
 173
 174   /* Print information about the certificates to
 175    * be checked.
 176    */
 177   name_size = sizeof (name);
 178   gnutls_x509_crt_get_dn (crt, name, &name_size);
 179
 180   fprintf (stderr, "\nCertificate: %s\n", name);
 181
 182   name_size = sizeof (name);
 183   gnutls_x509_crt_get_issuer_dn (crt, name, &name_size);
 184
 185   fprintf (stderr, "Issued by: %s\n", name);
 186
 187   /* Do the actual verification.
 188    */
 189   gnutls_x509_crt_verify (crt, ca_list, ca_list_size,
 190                           GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &output);
 191
 192   if (output & GNUTLS_CERT_INVALID)
 193     {
 194       fprintf (stderr, "Not trusted");
 195
 196       if (output & GNUTLS_CERT_SIGNER_NOT_CA)
 197         fprintf (stderr, ": Issuer is not a CA\n");
 198       if (output & GNUTLS_CERT_NOT_ACTIVATED)
 199         fprintf (stderr, ": Not yet activated\n");
 200       if (output & GNUTLS_CERT_EXPIRED)
 201         fprintf (stderr, ": Expired\n");
 202       fprintf (stderr, "\n");
 203     }
 204   else
 205     fprintf (stderr, "Trusted\n");
 206
 207
 208   /* Check if the certificate is revoked.
 209    */
 210   ret = gnutls_x509_crt_check_revocation (crt, crl_list, crl_list_size);
 211   if (ret == 1)
 212     {                           /* revoked */
 213       fprintf (stderr, "Revoked\n");
 214     }
 215 }