+/**
+ * gnutls_certificate_verification_status_print:
+ * @status: The status flags to be printed
+ * @type: The certificate type
+ * @out: Newly allocated datum with (0) terminated string.
+ * @flags: should be zero
+ *
+ * This function will pretty print the status of a verification
+ * process -- eg. the one obtained by gnutls_certificate_verify_peers3().
+ *
+ * The output @out needs to be deallocated using gnutls_free().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.4
+ **/
+int
+gnutls_certificate_verification_status_print(unsigned int status,
+ gnutls_certificate_type_t
+ type, gnutls_datum_t * out,
+ unsigned int flags)
+{
+ gnutls_buffer_st str;
+ int ret;
+
+ _gnutls_buffer_init(&str);
+
+ if (status == 0)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate is trusted. "));
+ else
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate is NOT trusted. "));
+
+ if (type == GNUTLS_CRT_X509) {
+ if (status & GNUTLS_CERT_REVOKED)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate chain is revoked. "));
+
+ if (status & GNUTLS_CERT_MISMATCH)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate doesn't match the local copy (TOFU). "));
+
+ if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The revocation data are old and have been superseded. "));
+
+ if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The revocation data are issued with a future date. "));
+
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate issuer is unknown. "));
+
+ if (status & GNUTLS_CERT_SIGNER_NOT_CA)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate issuer is not a CA. "));
+ } else if (type == GNUTLS_CRT_OPENPGP) {
+ if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("Could not find a signer of the certificate. "));
+
+ if (status & GNUTLS_CERT_REVOKED)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate is revoked. "));
+ }
+
+ if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate chain uses insecure algorithm. "));
+
+ if (status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate chain violates the signer's constraints. "));
+
+ if (status & GNUTLS_CERT_NOT_ACTIVATED)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate chain uses not yet valid certificate. "));
+
+ if (status & GNUTLS_CERT_EXPIRED)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The certificate chain uses expired certificate. "));
+
+ if (status & GNUTLS_CERT_SIGNATURE_FAILURE)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The signature in the certificate is invalid. "));
+
+ if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
+ _gnutls_buffer_append_str(&str,
+ _
+ ("The name in the certificate does not match the expected. "));
+
+ ret = _gnutls_buffer_to_datum(&str, out);
+ if (out->size > 0)
+ out->size--;
+
+ return ret;
+}