tests/x509_test.c

   1 /*
   2  * Copyright (C) 2002-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Nikos Mavrogiannopoulos
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * GnuTLS is free software; you can redistribute it and/or modify it
   9  * under the terms of the GNU General Public License as published by
  10  * the Free Software Foundation; either version 3 of the License, or
  11  * (at your option) any later version.
  12  *
  13  * GnuTLS is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with GnuTLS; if not, write to the Free Software Foundation,
  20  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
  21  */
  22
  23 #include <stdio.h>
  24 #include <stdlib.h>
  25 #include <string.h>
  26 #include <gnutls/x509.h>
  27
  28 #define MAX_FILE_SIZE 16*1024
  29
  30 struct file_res
  31 {
  32   char *test_file;
  33   int result;
  34 };
  35
  36 static struct file_res test_files[] = {
  37   {"test1.pem", 0},
  38   {"test2.pem", GNUTLS_CERT_NOT_TRUSTED},
  39   {"test3.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
  40   {"test10.pem", 0},
  41   {"test13.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
  42   {"test20.pem", GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED},
  43   {"test21.pem", GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED},
  44   {"test22.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
  45   {"test23.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
  46   {"test24.pem", 0},
  47   {"test25.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED},
  48   {"test26.pem", 0},
  49   {NULL, 0}
  50 };
  51
  52 #define CA_FILE "ca.pem"
  53
  54 int _verify_x509_file (const char *certfile, const char *cafile);
  55
  56
  57 static void
  58 print_res (int x)
  59 {
  60   if (x & GNUTLS_CERT_INVALID)
  61     printf ("- certificate is invalid\n");
  62   else
  63     printf ("- certificate is valid\n");
  64   if (x & GNUTLS_CERT_NOT_TRUSTED)
  65     printf ("- certificate is NOT trusted\n");
  66   else
  67     printf ("- certificate is trusted\n");
  68
  69   if (x & GNUTLS_CERT_CORRUPTED)
  70     printf ("- Found a corrupted certificate.\n");
  71
  72   if (x & GNUTLS_CERT_REVOKED)
  73     printf ("- certificate is revoked.\n");
  74 }
  75
  76 int
  77 main ()
  78 {
  79
  80   int x;
  81   char *file;
  82   int i = 0, exp_result;
  83
  84   gnutls_global_init ();
  85
  86   fprintf (stderr,
  87            "This test will perform some checks on X.509 certificate\n");
  88   fprintf (stderr, "verification functions.\n\n");
  89
  90   for (;;)
  91     {
  92       exp_result = test_files[i].result;
  93       file = test_files[i++].test_file;
  94
  95       if (file == NULL)
  96         break;
  97       x = _verify_x509_file (file, CA_FILE);
  98
  99       if (x < 0)
 100         {
 101           fprintf (stderr, "Unexpected error: %d\n", x);
 102           exit (1);
 103         }
 104       printf ("Test %d, file %s: ", i, file);
 105
 106       if (x != exp_result)
 107         {
 108           printf ("failed.\n");
 109           fflush (stdout);
 110           fprintf (stderr, "Unexpected error in verification.\n");
 111           fprintf (stderr, "Certificate was found to be: \n");
 112           print_res (x);
 113         }
 114       else
 115         {
 116           printf ("ok.");
 117
 118           printf ("\n");
 119         }
 120     }
 121
 122   printf ("\n");
 123
 124   gnutls_global_deinit ();
 125
 126   return 0;
 127
 128 }
 129
 130 #define CERT_SEP "-----BEGIN CERT"
 131 #define CRL_SEP "-----BEGIN X509 CRL"
 132
 133 /* Verifies a base64 encoded certificate list from memory
 134  */
 135 int
 136 _verify_x509_mem (const char *cert, int cert_size,
 137                   const char *ca, int ca_size, const char *crl, int crl_size)
 138 {
 139   int siz, i;
 140   const char *ptr;
 141   int ret;
 142   unsigned int output;
 143   gnutls_datum_t tmp;
 144   gnutls_x509_crt *x509_cert_list = NULL;
 145   gnutls_x509_crt x509_ca;
 146   gnutls_x509_crl *x509_crl_list = NULL;
 147   int x509_ncerts, x509_ncrls;
 148
 149   /* Decode the CA certificate
 150    */
 151   tmp.data = (char *) ca;
 152   tmp.size = ca_size;
 153
 154   ret = gnutls_x509_crt_init (&x509_ca);
 155   if (ret < 0)
 156     {
 157       fprintf (stderr, "Error parsing the CA certificate: %s\n",
 158                gnutls_strerror (ret));
 159       exit (1);
 160     }
 161
 162   ret = gnutls_x509_crt_import (x509_ca, &tmp, GNUTLS_X509_FMT_PEM);
 163
 164   if (ret < 0)
 165     {
 166       fprintf (stderr, "Error parsing the CA certificate: %s\n",
 167                gnutls_strerror (ret));
 168       exit (1);
 169     }
 170
 171   /* Decode the CRL list
 172    */
 173   siz = crl_size;
 174   ptr = crl;
 175
 176   i = 1;
 177
 178   if (strstr (ptr, CRL_SEP) != NULL)    /* if CRLs exist */
 179     do
 180       {
 181         x509_crl_list =
 182           (gnutls_x509_crl *) realloc (x509_crl_list,
 183                                        i * sizeof (gnutls_x509_crl));
 184         if (x509_crl_list == NULL)
 185           {
 186             fprintf (stderr, "memory error\n");
 187             exit (1);
 188           }
 189
 190         tmp.data = (char *) ptr;
 191         tmp.size = siz;
 192
 193         ret = gnutls_x509_crl_init (&x509_crl_list[i - 1]);
 194         if (ret < 0)
 195           {
 196             fprintf (stderr, "Error parsing the CRL[%d]: %s\n", i,
 197                      gnutls_strerror (ret));
 198             exit (1);
 199           }
 200
 201         ret =
 202           gnutls_x509_crl_import (x509_crl_list[i - 1], &tmp,
 203                                   GNUTLS_X509_FMT_PEM);
 204         if (ret < 0)
 205           {
 206             fprintf (stderr, "Error parsing the CRL[%d]: %s\n", i,
 207                      gnutls_strerror (ret));
 208             exit (1);
 209           }
 210
 211         /* now we move ptr after the pem header */
 212         ptr = strstr (ptr, CRL_SEP);
 213         if (ptr != NULL)
 214           ptr++;
 215
 216         i++;
 217       }
 218     while ((ptr = strstr (ptr, CRL_SEP)) != NULL);
 219
 220   x509_ncrls = i - 1;
 221
 222
 223   /* Decode the certificate chain.
 224    */
 225   siz = cert_size;
 226   ptr = cert;
 227
 228   i = 1;
 229
 230   do
 231     {
 232       x509_cert_list =
 233         (gnutls_x509_crt *) realloc (x509_cert_list,
 234                                      i * sizeof (gnutls_x509_crt));
 235       if (x509_cert_list == NULL)
 236         {
 237           fprintf (stderr, "memory error\n");
 238           exit (1);
 239         }
 240
 241       tmp.data = (char *) ptr;
 242       tmp.size = siz;
 243
 244       ret = gnutls_x509_crt_init (&x509_cert_list[i - 1]);
 245       if (ret < 0)
 246         {
 247           fprintf (stderr, "Error parsing the certificate[%d]: %s\n", i,
 248                    gnutls_strerror (ret));
 249           exit (1);
 250         }
 251
 252       ret =
 253         gnutls_x509_crt_import (x509_cert_list[i - 1], &tmp,
 254                                 GNUTLS_X509_FMT_PEM);
 255       if (ret < 0)
 256         {
 257           fprintf (stderr, "Error parsing the certificate[%d]: %s\n", i,
 258                    gnutls_strerror (ret));
 259           exit (1);
 260         }
 261
 262       /* now we move ptr after the pem header */
 263       ptr = strstr (ptr, CERT_SEP);
 264       if (ptr != NULL)
 265         ptr++;
 266
 267       i++;
 268     }
 269   while ((ptr = strstr (ptr, CERT_SEP)) != NULL);
 270
 271   x509_ncerts = i - 1;
 272
 273   ret = gnutls_x509_crt_list_verify (x509_cert_list, x509_ncerts,
 274                                      &x509_ca, 1, x509_crl_list, x509_ncrls,
 275                                      0, &output);
 276
 277   gnutls_x509_crt_deinit (x509_ca);
 278
 279   for (i = 0; i < x509_ncerts; i++)
 280     {
 281       gnutls_x509_crt_deinit (x509_cert_list[i]);
 282     }
 283
 284   for (i = 0; i < x509_ncrls; i++)
 285     {
 286       gnutls_x509_crl_deinit (x509_crl_list[i]);
 287     }
 288
 289   free (x509_cert_list);
 290   free (x509_crl_list);
 291
 292   if (ret < 0)
 293     {
 294       fprintf (stderr, "Error in verification: %s\n", gnutls_strerror (ret));
 295       exit (1);
 296     }
 297
 298   return output;
 299 }
 300
 301
 302
 303 /* Reads and verifies a base64 encoded certificate file
 304  */
 305 int
 306 _verify_x509_file (const char *certfile, const char *cafile)
 307 {
 308   int ca_size, cert_size;
 309   char ca[MAX_FILE_SIZE];
 310   char cert[MAX_FILE_SIZE];
 311   FILE *fd1;
 312
 313   fd1 = fopen (certfile, "rb");
 314   if (fd1 == NULL)
 315     {
 316       fprintf (stderr, "error opening %s\n", certfile);
 317       return GNUTLS_E_FILE_ERROR;
 318     }
 319
 320   cert_size = fread (cert, 1, sizeof (cert) - 1, fd1);
 321   fclose (fd1);
 322
 323   cert[cert_size] = 0;
 324
 325
 326   fd1 = fopen (cafile, "rb");
 327   if (fd1 == NULL)
 328     {
 329       fprintf (stderr, "error opening %s\n", cafile);
 330       return GNUTLS_E_FILE_ERROR;
 331     }
 332
 333   ca_size = fread (ca, 1, sizeof (ca) - 1, fd1);
 334   fclose (fd1);
 335
 336   ca[ca_size] = 0;
 337
 338   return _verify_x509_mem (cert, cert_size, ca, ca_size, cert, cert_size);
 339 }