8 #include <gnutls/gnutls.h>
9 #include <gnutls/x509.h>
13 int verify_certificate_callback (gnutls_session_t session
)
16 const gnutls_datum_t
*cert_list
;
17 unsigned int cert_list_size
;
19 gnutls_x509_crt_t cert
;
23 hostname
= gnutls_session_get_ptr (session
);
25 /* This verification function uses the trusted CAs in the credentials
26 * structure. So you must have installed one or more CA certificates.
28 ret
= gnutls_certificate_verify_peers2 (session
, &status
);
32 return GNUTLS_E_CERTIFICATE_ERROR
;
35 if (status
& GNUTLS_CERT_INVALID
)
36 printf ("The certificate is not trusted.\n");
38 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
)
39 printf ("The certificate hasn't got a known issuer.\n");
41 if (status
& GNUTLS_CERT_REVOKED
)
42 printf ("The certificate has been revoked.\n");
44 if (status
& GNUTLS_CERT_EXPIRED
)
45 printf ("The certificate has expired\n");
47 if (status
& GNUTLS_CERT_NOT_ACTIVATED
)
48 printf ("The certificate is not yet activated\n");
50 /* Up to here the process is the same for X.509 certificates and
51 * OpenPGP keys. From now on X.509 certificates are assumed. This can
52 * be easily extended to work with openpgp keys as well.
54 if (gnutls_certificate_type_get (session
) != GNUTLS_CRT_X509
)
55 return GNUTLS_E_CERTIFICATE_ERROR
;
57 if (gnutls_x509_crt_init (&cert
) < 0)
59 printf ("error in initialization\n");
60 return GNUTLS_E_CERTIFICATE_ERROR
;
63 cert_list
= gnutls_certificate_get_peers (session
, &cert_list_size
);
64 if (cert_list
== NULL
)
66 printf ("No certificate was found!\n");
67 return GNUTLS_E_CERTIFICATE_ERROR
;
70 /* This is not a real world example, since we only check the first
71 * certificate in the given chain.
73 if (gnutls_x509_crt_import (cert
, &cert_list
[0], GNUTLS_X509_FMT_DER
) < 0)
75 printf ("error parsing certificate\n");
76 return GNUTLS_E_CERTIFICATE_ERROR
;
80 if (!gnutls_x509_crt_check_hostname (cert
, hostname
))
82 printf ("The certificate's owner does not match hostname '%s'\n",
84 return GNUTLS_E_CERTIFICATE_ERROR
;
87 gnutls_x509_crt_deinit (cert
);
89 /* notify gnutls to continue handshake normally */