search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add `gnutls/dtls.h' to the distribution.
[gnutls.git] / tests / x509_test.c
blob27b6ad28ed78445336b93e746d480d7750778d1f
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <string.h>
4 #include <gnutls/x509.h>
5
6 #define MAX_FILE_SIZE 16*1024
7
8 struct file_res
9 {
10 char *test_file;
11 int result;
12 };
13
14 static struct file_res test_files[] = {
15 {"test1.pem", 0},
16 {"test2.pem", GNUTLS_CERT_NOT_TRUSTED},
17 {"test3.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
18 {"test10.pem", 0},
19 {"test13.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
20 {"test20.pem", GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED},
21 {"test21.pem", GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED},
22 {"test22.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
23 {"test23.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
24 {"test24.pem", 0},
25 {"test25.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
26 {"test26.pem", 0},
27 {NULL, 0}
28 };
29
30 #define CA_FILE "ca.pem"
31
32 int _verify_x509_file (const char *certfile, const char *cafile);
33
34
35 static void
36 print_res (int x)
37 {
38 if (x & GNUTLS_CERT_INVALID)
39 printf ("- certificate is invalid\n");
40 else
41 printf ("- certificate is valid\n");
42 if (x & GNUTLS_CERT_NOT_TRUSTED)
43 printf ("- certificate is NOT trusted\n");
44 else
45 printf ("- certificate is trusted\n");
46
47 if (x & GNUTLS_CERT_CORRUPTED)
48 printf ("- Found a corrupted certificate.\n");
49
50 if (x & GNUTLS_CERT_REVOKED)
51 printf ("- certificate is revoked.\n");
52 }
53
54 int
55 main ()
56 {
57
58 int x;
59 char *file;
60 int i = 0, exp_result;
61
62 gnutls_global_init ();
63
64 fprintf (stderr,
65 "This test will perform some checks on X.509 certificate\n");
66 fprintf (stderr, "verification functions.\n\n");
67
68 for (;;)
69 {
70 exp_result = test_files[i].result;
71 file = test_files[i++].test_file;
72
73 if (file == NULL)
74 break;
75 x = _verify_x509_file (file, CA_FILE);
76
77 if (x < 0)
78 {
79 fprintf (stderr, "Unexpected error: %d\n", x);
80 exit (1);
81 }
82 printf ("Test %d, file %s: ", i, file);
83
84 if (x != exp_result)
85 {
86 printf ("failed.\n");
87 fflush (stdout);
88 fprintf (stderr, "Unexpected error in verification.\n");
89 fprintf (stderr, "Certificate was found to be: \n");
90 print_res (x);
91 }
92 else
93 {
94 printf ("ok.");
95
96 printf ("\n");
97 }
98 }
99
100 printf ("\n");
101
102 gnutls_global_deinit ();
103
104 return 0;
105
106 }
107
108 #define CERT_SEP "-----BEGIN CERT"
109 #define CRL_SEP "-----BEGIN X509 CRL"
110
111 /* Verifies a base64 encoded certificate list from memory
112 */
113 int
114 _verify_x509_mem (const char *cert, int cert_size,
115 const char *ca, int ca_size, const char *crl, int crl_size)
116 {
117 int siz, i;
118 const char *ptr;
119 int ret;
120 unsigned int output;
121 gnutls_datum_t tmp;
122 gnutls_x509_crt *x509_cert_list = NULL;
123 gnutls_x509_crt x509_ca;
124 gnutls_x509_crl *x509_crl_list = NULL;
125 int x509_ncerts, x509_ncrls;
126
127 /* Decode the CA certificate
128 */
129 tmp.data = (char *) ca;
130 tmp.size = ca_size;
131
132 ret = gnutls_x509_crt_init (&x509_ca);
133 if (ret < 0)
134 {
135 fprintf (stderr, "Error parsing the CA certificate: %s\n",
136 gnutls_strerror (ret));
137 exit (1);
138 }
139
140 ret = gnutls_x509_crt_import (x509_ca, &tmp, GNUTLS_X509_FMT_PEM);
141
142 if (ret < 0)
143 {
144 fprintf (stderr, "Error parsing the CA certificate: %s\n",
145 gnutls_strerror (ret));
146 exit (1);
147 }
148
149 /* Decode the CRL list
150 */
151 siz = crl_size;
152 ptr = crl;
153
154 i = 1;
155
156 if (strstr (ptr, CRL_SEP) != NULL) /* if CRLs exist */
157 do
158 {
159 x509_crl_list =
160 (gnutls_x509_crl *) realloc (x509_crl_list,
161 i * sizeof (gnutls_x509_crl));
162 if (x509_crl_list == NULL)
163 {
164 fprintf (stderr, "memory error\n");
165 exit (1);
166 }
167
168 tmp.data = (char *) ptr;
169 tmp.size = siz;
170
171 ret = gnutls_x509_crl_init (&x509_crl_list[i - 1]);
172 if (ret < 0)
173 {
174 fprintf (stderr, "Error parsing the CRL[%d]: %s\n", i,
175 gnutls_strerror (ret));
176 exit (1);
177 }
178
179 ret =
180 gnutls_x509_crl_import (x509_crl_list[i - 1], &tmp,
181 GNUTLS_X509_FMT_PEM);
182 if (ret < 0)
183 {
184 fprintf (stderr, "Error parsing the CRL[%d]: %s\n", i,
185 gnutls_strerror (ret));
186 exit (1);
187 }
188
189 /* now we move ptr after the pem header */
190 ptr = strstr (ptr, CRL_SEP);
191 if (ptr != NULL)
192 ptr++;
193
194 i++;
195 }
196 while ((ptr = strstr (ptr, CRL_SEP)) != NULL);
197
198 x509_ncrls = i - 1;
199
200
201 /* Decode the certificate chain.
202 */
203 siz = cert_size;
204 ptr = cert;
205
206 i = 1;
207
208 do
209 {
210 x509_cert_list =
211 (gnutls_x509_crt *) realloc (x509_cert_list,
212 i * sizeof (gnutls_x509_crt));
213 if (x509_cert_list == NULL)
214 {
215 fprintf (stderr, "memory error\n");
216 exit (1);
217 }
218
219 tmp.data = (char *) ptr;
220 tmp.size = siz;
221
222 ret = gnutls_x509_crt_init (&x509_cert_list[i - 1]);
223 if (ret < 0)
224 {
225 fprintf (stderr, "Error parsing the certificate[%d]: %s\n", i,
226 gnutls_strerror (ret));
227 exit (1);
228 }
229
230 ret =
231 gnutls_x509_crt_import (x509_cert_list[i - 1], &tmp,
232 GNUTLS_X509_FMT_PEM);
233 if (ret < 0)
234 {
235 fprintf (stderr, "Error parsing the certificate[%d]: %s\n", i,
236 gnutls_strerror (ret));
237 exit (1);
238 }
239
240 /* now we move ptr after the pem header */
241 ptr = strstr (ptr, CERT_SEP);
242 if (ptr != NULL)
243 ptr++;
244
245 i++;
246 }
247 while ((ptr = strstr (ptr, CERT_SEP)) != NULL);
248
249 x509_ncerts = i - 1;
250
251 ret = gnutls_x509_crt_list_verify (x509_cert_list, x509_ncerts,
252 &x509_ca, 1, x509_crl_list, x509_ncrls,
253 0, &output);
254
255 gnutls_x509_crt_deinit (x509_ca);
256
257 for (i = 0; i < x509_ncerts; i++)
258 {
259 gnutls_x509_crt_deinit (x509_cert_list[i]);
260 }
261
262 for (i = 0; i < x509_ncrls; i++)
263 {
264 gnutls_x509_crl_deinit (x509_crl_list[i]);
265 }
266
267 free (x509_cert_list);
268 free (x509_crl_list);
269
270 if (ret < 0)
271 {
272 fprintf (stderr, "Error in verification: %s\n", gnutls_strerror (ret));
273 exit (1);
274 }
275
276 return output;
277 }
278
279
280
281 /* Reads and verifies a base64 encoded certificate file
282 */
283 int
284 _verify_x509_file (const char *certfile, const char *cafile)
285 {
286 int ca_size, cert_size;
287 char ca[MAX_FILE_SIZE];
288 char cert[MAX_FILE_SIZE];
289 FILE *fd1;
290
291 fd1 = fopen (certfile, "rb");
292 if (fd1 == NULL)
293 {
294 fprintf (stderr, "error opening %s\n", certfile);
295 return GNUTLS_E_FILE_ERROR;
296 }
297
298 cert_size = fread (cert, 1, sizeof (cert) - 1, fd1);
299 fclose (fd1);
300
301 cert[cert_size] = 0;
302
303
304 fd1 = fopen (cafile, "rb");
305 if (fd1 == NULL)
306 {
307 fprintf (stderr, "error opening %s\n", cafile);
308 return GNUTLS_E_FILE_ERROR;
309 }
310
311 ca_size = fread (ca, 1, sizeof (ca) - 1, fd1);
312 fclose (fd1);
313
314 ca[ca_size] = 0;
315
316 return _verify_x509_mem (cert, cert_size, ca, ca_size, cert, cert_size);
317 }
Implementation of the SSL/TLS protocol