tests/mini-x509.c

   1 /*
   2  * Copyright (C) 2008-2012 Free Software Foundation, Inc.
   3  *
   4  * Author: Simon Josefsson
   5  *
   6  * This file is part of GnuTLS.
   7  *
   8  * GnuTLS is free software; you can redistribute it and/or modify it
   9  * under the terms of the GNU General Public License as published by
  10  * the Free Software Foundation; either version 3 of the License, or
  11  * (at your option) any later version.
  12  *
  13  * GnuTLS is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with GnuTLS; if not, write to the Free Software Foundation,
  20  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
  21  */
  22
  23 #ifdef HAVE_CONFIG_H
  24 #include <config.h>
  25 #endif
  26
  27 #include <stdio.h>
  28 #include <stdlib.h>
  29 #include <string.h>
  30 #include <errno.h>
  31 #include <gnutls/gnutls.h>
  32 #include "utils.h"
  33 #include "eagain-common.h"
  34
  35 const char *side;
  36
  37 static void tls_log_func(int level, const char *str)
  38 {
  39         fprintf(stderr, "%s|<%d>| %s", side, level, str);
  40 }
  41
  42 static unsigned char ca_cert_pem[] =
  43 "-----BEGIN CERTIFICATE-----\n"
  44 "MIIC4DCCAcigAwIBAgIBADANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
  45 "MCIYDzIwMTQwNDA0MTk1OTA1WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
  46 "BENBLTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD46JAPKrTsNTHl\n"
  47 "zD06eIYBF/8Z+TR0wukp9Cdh8Sw77dODLjy/QrVKiDgDZZdyUc8Agsdr86i95O0p\n"
  48 "w19Np3a0wja0VC9uwppZrpuHsrWukwxIBXoViyBc20Y6Ce8j0scCbR10SP565qXC\n"
  49 "i8vr86S4xmQMRZMtwohP/GWQzt45jqkHPYHjdKzwo2b2XI7joDq0dvbr3MSONkGs\n"
  50 "z7A/1Bl3iH5keDTWjqpJRWqXE79IhGOhELy+gG4VLJDGHWCr2mq24b9Kirp+TTxl\n"
  51 "lUwJRbchqUqerlFdt1NgDoGaJyd73Sh0qcZzmEiOI2hGvBtG86tdQ6veC9dl05et\n"
  52 "pM+6RMABAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
  53 "ADAdBgNVHQ4EFgQUGD0RYr2H7kfjQUcBMxSTCDQnhu0wDQYJKoZIhvcNAQELBQAD\n"
  54 "ggEBALnHMubZ6WJ/XOFyDuo0imwg2onrPas3MuKT4+y0aHY943BgAOEc3jKitRjc\n"
  55 "qhb0IUD+NS7itRwNtCgI3v5Ym5nnQoVk+aOD/D724TjJ9XaPQJzOnuGaZX99VN2F\n"
  56 "sgwAtDXedlDQ+I6KLzLd6VW+UyWTG4qiRjOGDnG2kM1wAEOM27TzHV/YWleGjhtA\n"
  57 "bRHxkioOni5goNlTzazxF4v9VD2uinWrIFyZmF6vQuMm6rKFgq6higAU8uesFo7+\n"
  58 "3qpeRjNrPC4fNJUBvv+PC0WnP0PLnD/rY/ZcTYjLb/vJp1fiMJ5fU7jJklBhX2TE\n"
  59 "tstcP7FUV5HA/s9BxgAh0Z2wyyY=\n"
  60 "-----END CERTIFICATE-----\n";
  61
  62 const gnutls_datum_t ca_cert = { ca_cert_pem,
  63         sizeof(ca_cert_pem)
  64 };
  65
  66 static unsigned char server_cert_pem[] =
  67 "-----BEGIN CERTIFICATE-----\n"
  68 "MIIDIzCCAgugAwIBAgIMUz8PCR2sdRK56V6OMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
  69 "BgNVBAMTBENBLTEwIhgPMjAxNDA0MDQxOTU5MDVaGA85OTk5MTIzMTIzNTk1OVow\n"
  70 "EzERMA8GA1UEAxMIc2VydmVyLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n"
  71 "AoIBAQDZ3dCzh9gOTOiOb2dtrPu91fYYgC/ey0ACYjQxaru7FZwnuXPhQK9KHsIV\n"
  72 "YRIyo49wjKZddkHet2sbpFAAeETZh8UUWLRb/mupyaSJMycaYCNjLZCUJTztvXxJ\n"
  73 "CCNfbtgvKC+Vu1mu94KBPatslgvnsamH7AiL5wmwRRqdH/Z93XaEvuRG6Zk0Sh9q\n"
  74 "ZMdCboGfjtmGEJ1V+z5CR+IyH4sckzd8WJW6wBSEwgliGaXnc75xKtFWBZV2njNr\n"
  75 "8V1TOYOdLEbiF4wduVExL5TKq2ywNkRpUfK2I1BcWS5D9Te/QT7aSdE08rL6ztmZ\n"
  76 "IhILSrMOfoLnJ4lzXspz3XLlEuhnAgMBAAGjdzB1MAwGA1UdEwEB/wQCMAAwFAYD\n"
  77 "VR0RBA0wC4IJbG9jYWxob3N0MA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJXR\n"
  78 "raRS5MVhEqaRE42A3S2BIj7UMB8GA1UdIwQYMBaAFP6S7AyMRO2RfkANgo8YsCl8\n"
  79 "JfJkMA0GCSqGSIb3DQEBCwUAA4IBAQCQ62+skMVZYrGbpab8RI9IG6xH8kEndvFj\n"
  80 "J7wBBZCOlcjOj+HQ7a2buF5zGKRwAOSznKcmvZ7l5DPdsd0t5/VT9LKSbQ6+CfGr\n"
  81 "Xs5qPaDJnRhZkOILCvXJ9qyO+79WNMsg9pWnxkTK7aWR5OYE+1Qw1jG681HMkWTm\n"
  82 "nt7et9bdiNNpvA+L55569XKbdtJLs3hn5gEQFgS7EaEj59aC4vzSTFcidowCoa43\n"
  83 "7JmfSfC9YaAIFH2vriyU0QNf2y7cG5Hpkge+U7uMzQrsT77Q3SDB9WkyPAFNSB4Q\n"
  84 "B/r+OtZXOnQhLlMV7h4XGlWruFEaOBVjFHSdMGUh+DtaLvd1bVXI\n"
  85 "-----END CERTIFICATE-----\n"
  86 "-----BEGIN CERTIFICATE-----\n"
  87 "MIIDATCCAemgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRDQS0w\n"
  88 "MCIYDzIwMTQwNDA0MTk1OTA1WhgPOTk5OTEyMzEyMzU5NTlaMA8xDTALBgNVBAMT\n"
  89 "BENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvhyQfsUm3T0xK\n"
  90 "jiBXO3H6Y27b7lmCRYZQCmXCl2sUsGDL7V9biavTt3+sorWtH542/cTGDh5n8591\n"
  91 "7rVxAB/VASmN55O3fjZyFGrjusjhXBla0Yxe5rZ/7/Pjrq84T7gc/IXiX9Sums/c\n"
  92 "o9AeoykfhsjV2ubhh4h+8uPsHDTcAFTxq3mQaoldwnW2nmjDFzaKLtQdnyFf41o6\n"
  93 "nsJCK/J9PtpdCID5Zb+eQfu5Yhk1iUHe8a9TOstCHtgBq61YzufDHUQk3zsT+VZM\n"
  94 "20lDvSBnHdWLjxoea587JbkvtH8xRR8ThwABSb98qPnhJ8+A7mpO89QO1wxZM85A\n"
  95 "xEweQlMHAgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE\n"
  96 "ADAdBgNVHQ4EFgQU/pLsDIxE7ZF+QA2CjxiwKXwl8mQwHwYDVR0jBBgwFoAUGD0R\n"
  97 "Yr2H7kfjQUcBMxSTCDQnhu0wDQYJKoZIhvcNAQELBQADggEBANEXLUV+Z1PGTn7M\n"
  98 "3rPT/m/EamcrZJ3vFWrnfN91ws5llyRUKNhx6222HECh3xRSxH9YJONsbv2zY6sd\n"
  99 "ztY7lvckL4xOgWAjoCVTx3hqbZjDxpLRsvraw1PlqBHlRQVWLKlEQ55+tId2zgMX\n"
 100 "Z+wxM7FlU/6yWVPODIxrqYQd2KqaEp4aLIklw6Hi4HD6DnQJikjsJ6Noe0qyX1Tx\n"
 101 "uZ8mgP/G47Fe2d2H29kJ1iJ6hp1XOqyWrVIh/jONcnTvWS8aMqS3MU0EJH2Pb1Qa\n"
 102 "KGIvbd/3H9LykFTP/b7Imdv2fZxXIK8jC+jbF1w6rdBCVNA0p30X/jonoC3vynEK\n"
 103 "5cK0cgs=\n"
 104 "-----END CERTIFICATE-----\n";
 105
 106 const gnutls_datum_t server_cert = { server_cert_pem,
 107         sizeof(server_cert_pem)
 108 };
 109
 110 static unsigned char server_key_pem[] =
 111 "-----BEGIN RSA PRIVATE KEY-----\n"
 112 "MIIEpQIBAAKCAQEA2d3Qs4fYDkzojm9nbaz7vdX2GIAv3stAAmI0MWq7uxWcJ7lz\n"
 113 "4UCvSh7CFWESMqOPcIymXXZB3rdrG6RQAHhE2YfFFFi0W/5rqcmkiTMnGmAjYy2Q\n"
 114 "lCU87b18SQgjX27YLygvlbtZrveCgT2rbJYL57Gph+wIi+cJsEUanR/2fd12hL7k\n"
 115 "RumZNEofamTHQm6Bn47ZhhCdVfs+QkfiMh+LHJM3fFiVusAUhMIJYhml53O+cSrR\n"
 116 "VgWVdp4za/FdUzmDnSxG4heMHblRMS+UyqtssDZEaVHytiNQXFkuQ/U3v0E+2knR\n"
 117 "NPKy+s7ZmSISC0qzDn6C5yeJc17Kc91y5RLoZwIDAQABAoIBAQCRXAu5HPOsZufq\n"
 118 "0K2DYZz9BdqSckR+M8HbVUZZiksDAeIUJwoHyi6qF2eK+B86JiK4Bz+gsBw2ys3t\n"
 119 "vW2bQqM9N/boIl8D2fZfbCgZWkXGtUonC+mgzk+el4Rq/cEMFVqr6/YDwuKNeJpc\n"
 120 "PJc5dcsvpTvlcjgpj9bJAvJEz2SYiIUpvtG4WNMGGapVZZPDvWn4/isY+75T5oDf\n"
 121 "1X5jG0lN9uoUjcuGuThN7gxjwlRkcvEOPHjXc6rxfrWIDdiz/91V46PwpqVDpRrg\n"
 122 "ig6U7+ckS0Oy2v32x0DaDhwAfDJ2RNc9az6Z+11lmY3LPkjG/p8Klcmgvt4/lwkD\n"
 123 "OYRC5QGRAoGBAPFdud6nmVt9h1DL0o4R6snm6P3K81Ds765VWVmpzJkK3+bwe4PQ\n"
 124 "GQQ0I0zN4hXkDMwHETS+EVWllqkK/d4dsE3volYtyTti8zthIATlgSEJ81x/ChAQ\n"
 125 "vvXxgx+zPUnb1mUwy+X+6urTHe4bxN2ypg6ROIUmT+Hx1ITG40LRRiPTAoGBAOcT\n"
 126 "WR8DTrj42xbxAUpz9vxJ15ZMwuIpk3ShE6+CWqvaXHF22Ju4WFwRNlW2zVLH6UMt\n"
 127 "nNfOzyDoryoiu0+0mg0wSmgdJbtCSHoI2GeiAnjGn5i8flQlPQ8bdwwmU6g6I/EU\n"
 128 "QRbGK/2XLmlrGN52gVy9UX0NsAA5fEOsAJiFj1CdAoGBAN9i3nbq6O2bNVSa/8mL\n"
 129 "XaD1vGe/oQgh8gaIaYSpuXlfbjCAG+C4BZ81XgJkfj3CbfGbDNqimsqI0fKsAJ/F\n"
 130 "HHpVMgrOn3L+Np2bW5YMj0Fzwy+1SCvsQ8C+gJwjOLMV6syGp/+6udMSB55rRv3k\n"
 131 "rPnIf+YDumUke4tTw9wAcgkPAoGASHMkiji7QfuklbjSsslRMyDj21gN8mMevH6U\n"
 132 "cX7pduBsA5dDqu9NpPAwnQdHsSDE3i868d8BykuqQAfLut3hPylY6vPYlLHfj4Oe\n"
 133 "dj+xjrSX7YeMBE34qvfth32s1R4FjtzO25keyc/Q2XSew4FcZftlxVO5Txi3AXC4\n"
 134 "bxnRKXECgYEAva+og7/rK+ZjboJVNxhFrwHp9bXhz4tzrUaWNvJD2vKJ5ZcThHcX\n"
 135 "zCig8W7eXHLPLDhi9aWZ3kUZ1RLhrFc/6dujtVtU9z2w1tmn1I+4Zi6D6L4DzKdg\n"
 136 "nMRLFoXufs/qoaJTqa8sQvKa+ceJAF04+gGtw617cuaZdZ3SYRLR2dk=\n"
 137 "-----END RSA PRIVATE KEY-----\n";
 138
 139 const gnutls_datum_t server_key = { server_key_pem,
 140         sizeof(server_key_pem)
 141 };
 142
 143 void doit(void)
 144 {
 145         int exit_code = EXIT_SUCCESS;
 146         int ret;
 147         /* Server stuff. */
 148         gnutls_certificate_credentials_t serverx509cred;
 149         gnutls_session_t server;
 150         int sret = GNUTLS_E_AGAIN;
 151         /* Client stuff. */
 152         gnutls_certificate_credentials_t clientx509cred;
 153         gnutls_session_t client;
 154         int cret = GNUTLS_E_AGAIN;
 155
 156         /* General init. */
 157         global_init();
 158         gnutls_global_set_log_function(tls_log_func);
 159         if (debug)
 160                 gnutls_global_set_log_level(2);
 161
 162         /* Init server */
 163         gnutls_certificate_allocate_credentials(&serverx509cred);
 164         gnutls_certificate_set_x509_key_mem(serverx509cred,
 165                                             &server_cert, &server_key,
 166                                             GNUTLS_X509_FMT_PEM);
 167
 168         gnutls_init(&server, GNUTLS_SERVER);
 169         gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
 170                                serverx509cred);
 171         gnutls_priority_set_direct(server,
 172 #ifndef ENABLE_FIPS140
 173                                    "NORMAL:-CIPHER-ALL:+ARCFOUR-128",
 174 #else
 175                                    "NORMAL:-CIPHER-ALL:+AES-128-CBC",
 176 #endif
 177                                    NULL);
 178         gnutls_transport_set_push_function(server, server_push);
 179         gnutls_transport_set_pull_function(server, server_pull);
 180         gnutls_transport_set_ptr(server, server);
 181
 182         /* Init client */
 183         ret = gnutls_certificate_allocate_credentials(&clientx509cred);
 184         if (ret < 0)
 185                 exit(1);
 186
 187         ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca_cert, GNUTLS_X509_FMT_PEM);
 188         if (ret < 0)
 189                 exit(1);
 190
 191         ret = gnutls_init(&client, GNUTLS_CLIENT);
 192         if (ret < 0)
 193                 exit(1);
 194
 195         ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
 196                                clientx509cred);
 197         if (ret < 0)
 198                 exit(1);
 199
 200         gnutls_priority_set_direct(client, "NORMAL:+ARCFOUR-128", NULL);
 201         gnutls_transport_set_push_function(client, client_push);
 202         gnutls_transport_set_pull_function(client, client_pull);
 203         gnutls_transport_set_ptr(client, client);
 204
 205         HANDSHAKE(client, server);
 206
 207         /* check the number of certificates received */
 208         {
 209                 unsigned cert_list_size = 0;
 210                 gnutls_typed_vdata_st data[2];
 211                 unsigned status;
 212
 213                 memset(data, 0, sizeof(data));
 214
 215                 data[0].type = GNUTLS_DT_DNS_HOSTNAME;
 216                 data[0].data = (void*)"localhost1";
 217
 218                 data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
 219                 data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
 220
 221                 gnutls_certificate_get_peers(client, &cert_list_size);
 222                 if (cert_list_size < 2) {
 223                         fprintf(stderr, "received a certificate list of %d!\n", cert_list_size);
 224                         exit(1);
 225                 }
 226
 227                 ret = gnutls_certificate_verify_peers(client, data, 2, &status);
 228                 if (ret < 0) {
 229                         fprintf(stderr, "could not verify certificate: %s\n", gnutls_strerror(ret));
 230                         exit(1);
 231                 }
 232
 233                 if (status == 0) {
 234                         fprintf(stderr, "should not have accepted!\n");
 235                         exit(1);
 236                 }
 237
 238                 data[0].type = GNUTLS_DT_DNS_HOSTNAME;
 239                 data[0].data = (void*)"localhost";
 240
 241                 ret = gnutls_certificate_verify_peers(client, data, 2, &status);
 242                 if (ret < 0) {
 243                         fprintf(stderr, "could not verify certificate: %s\n", gnutls_strerror(ret));
 244                         exit(1);
 245                 }
 246
 247                 if (status != 0) {
 248                         fprintf(stderr, "could not verify certificate: %.4x\n", status);
 249                         exit(1);
 250                 }
 251         }
 252
 253         gnutls_bye(client, GNUTLS_SHUT_RDWR);
 254         gnutls_bye(server, GNUTLS_SHUT_RDWR);
 255
 256         gnutls_deinit(client);
 257         gnutls_deinit(server);
 258
 259         gnutls_certificate_free_credentials(serverx509cred);
 260         gnutls_certificate_free_credentials(clientx509cred);
 261
 262         gnutls_global_deinit();
 263
 264         if (debug > 0) {
 265                 if (exit_code == 0)
 266                         puts("Self-test successful");
 267                 else
 268                         puts("Self-test failed");
 269         }
 270 }