1 /* This example code is placed in the public domain. */
10 #include <gnutls/gnutls.h>
11 #include <gnutls/x509.h>
14 /* This function will verify the peer's certificate, check
15 * if the hostname matches. In addition it will perform an
16 * SSH-style authentication, where ultimately trusted keys
17 * are only the keys that have been seen before.
20 _ssh_verify_certificate_callback (gnutls_session_t session
)
23 const gnutls_datum_t
*cert_list
;
24 unsigned int cert_list_size
;
29 hostname
= gnutls_session_get_ptr (session
);
31 /* This verification function uses the trusted CAs in the credentials
32 * structure. So you must have installed one or more CA certificates.
34 ret
= gnutls_certificate_verify_peers3 (session
, hostname
, &status
);
38 return GNUTLS_E_CERTIFICATE_ERROR
;
41 if (status
& GNUTLS_CERT_INVALID
)
42 printf ("The certificate is not trusted.\n");
44 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
)
45 printf ("The certificate hasn't got a known issuer.\n");
47 if (status
& GNUTLS_CERT_REVOKED
)
48 printf ("The certificate has been revoked.\n");
50 if (status
& GNUTLS_CERT_EXPIRED
)
51 printf ("The certificate has expired\n");
53 if (status
& GNUTLS_CERT_NOT_ACTIVATED
)
54 printf ("The certificate is not yet activated\n");
56 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
57 if (cert_list
== NULL
)
59 printf ("No certificate was found!\n");
60 return GNUTLS_E_CERTIFICATE_ERROR
;
63 /* service may be obtained alternatively using getservbyport() */
64 ret
= gnutls_verify_stored_pubkey(NULL
, NULL
, hostname
, "https",
65 gnutls_certificate_type_get (session
),
67 if (ret
== GNUTLS_E_NO_CERTIFICATE_FOUND
)
69 printf("Host %s is not known.", hostname
);
71 printf("Its certificate is valid for %s.\n", hostname
);
73 /* the certificate must be printed and user must be asked on
74 * whether it is trustworthy. --see gnutls_x509_crt_print() */
77 return GNUTLS_E_CERTIFICATE_ERROR
;
79 else if (ret
== GNUTLS_E_CERTIFICATE_KEY_MISMATCH
)
81 printf("Warning: host %s is known but has another key associated.", hostname
);
82 printf("It might be that the server has multiple keys, or you are under attack\n");
84 printf("Its certificate is valid for %s.\n", hostname
);
86 /* the certificate must be printed and user must be asked on
87 * whether it is trustworthy. --see gnutls_x509_crt_print() */
90 return GNUTLS_E_CERTIFICATE_ERROR
;
94 printf("gnutls_verify_stored_pubkey: %s\n", gnutls_strerror(ret
));
98 /* user trusts the key -> store it */
101 ret
= gnutls_store_pubkey(NULL
, NULL
, hostname
, "https",
102 gnutls_certificate_type_get (session
),
103 &cert_list
[0], 0, 0);
105 printf("gnutls_store_pubkey: %s\n", gnutls_strerror(ret
));
108 /* notify gnutls to continue handshake normally */