doc/examples/verify.c

   1 #ifdef HAVE_CONFIG_H
   2 #include <config.h>
   3 #endif
   4
   5 #include <stdio.h>
   6 #include <stdlib.h>
   7 #include <string.h>
   8 #include <gnutls/gnutls.h>
   9 #include <gnutls/x509.h>
  10
  11 #include "examples.h"
  12
  13 int verify_certificate_callback (gnutls_session_t session)
  14 {
  15   unsigned int status;
  16   const gnutls_datum_t *cert_list;
  17   unsigned int cert_list_size;
  18   int ret;
  19   gnutls_x509_crt_t cert;
  20   const char *hostname;
  21
  22   /* read hostname */
  23   hostname = gnutls_session_get_ptr (session);
  24
  25   /* This verification function uses the trusted CAs in the credentials
  26    * structure. So you must have installed one or more CA certificates.
  27    */
  28   ret = gnutls_certificate_verify_peers2 (session, &status);
  29   if (ret < 0)
  30     {
  31       printf ("Error\n");
  32       return GNUTLS_E_CERTIFICATE_ERROR;
  33     }
  34
  35   if (status & GNUTLS_CERT_INVALID)
  36     printf ("The certificate is not trusted.\n");
  37
  38   if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
  39     printf ("The certificate hasn't got a known issuer.\n");
  40
  41   if (status & GNUTLS_CERT_REVOKED)
  42     printf ("The certificate has been revoked.\n");
  43
  44   if (status & GNUTLS_CERT_EXPIRED)
  45     printf ("The certificate has expired\n");
  46
  47   if (status & GNUTLS_CERT_NOT_ACTIVATED)
  48     printf ("The certificate is not yet activated\n");
  49
  50   /* Up to here the process is the same for X.509 certificates and
  51    * OpenPGP keys. From now on X.509 certificates are assumed. This can
  52    * be easily extended to work with openpgp keys as well.
  53    */
  54   if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509)
  55     return GNUTLS_E_CERTIFICATE_ERROR;
  56
  57   if (gnutls_x509_crt_init (&cert) < 0)
  58     {
  59       printf ("error in initialization\n");
  60       return GNUTLS_E_CERTIFICATE_ERROR;
  61     }
  62
  63   cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
  64   if (cert_list == NULL)
  65     {
  66       printf ("No certificate was found!\n");
  67       return GNUTLS_E_CERTIFICATE_ERROR;
  68     }
  69
  70   /* This is not a real world example, since we only check the first
  71    * certificate in the given chain.
  72    */
  73   if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
  74     {
  75       printf ("error parsing certificate\n");
  76       return GNUTLS_E_CERTIFICATE_ERROR;
  77     }
  78
  79
  80   if (!gnutls_x509_crt_check_hostname (cert, hostname))
  81     {
  82       printf ("The certificate's owner does not match hostname '%s'\n",
  83               hostname);
  84       return GNUTLS_E_CERTIFICATE_ERROR;
  85     }
  86
  87   gnutls_x509_crt_deinit (cert);
  88
  89   /* notify gnutls to continue handshake normally */
  90   return 0;
  91 }