diff options
Diffstat (limited to '')
| -rw-r--r-- | tests/x509cert-tl.c | 402 |
1 files changed, 402 insertions, 0 deletions
diff --git a/tests/x509cert-tl.c b/tests/x509cert-tl.c new file mode 100644 index 0000000..c1a6295 --- /dev/null +++ b/tests/x509cert-tl.c @@ -0,0 +1,402 @@ +/* + * Copyright (C) 2011-2012 Free Software Foundation, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include "utils.h" + +/* gnutls_trust_list_*(). + */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +static unsigned char ca_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" + "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" + "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" + "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" + "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" + "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" + "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" + "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" + "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" + "PfqUpIhz5Bbm7J4=\n" "-----END CERTIFICATE-----\n"; +const gnutls_datum_t ca = { ca_pem, sizeof(ca_pem) }; + +static unsigned char cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" + "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" + "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" + "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" + "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" + "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" + "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" + "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" + "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" + "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" + "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n"; +const gnutls_datum_t cert = { cert_pem, sizeof(cert_pem) }; + +static unsigned char key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" + "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" + "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" + "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" + "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" + "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" + "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" + "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" + "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" + "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" + "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" + "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" + "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" + "-----END RSA PRIVATE KEY-----\n"; +const gnutls_datum_t key = { key_pem, sizeof(key_pem) }; + +static unsigned char server_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" + "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" + "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" + "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" + "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" + "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" + "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" + "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" + "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" + "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" + "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" + "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_cert = { server_cert_pem, + sizeof(server_cert_pem) +}; + +static unsigned char server_key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" + "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" + "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" + "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" + "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" + "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" + "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" + "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" + "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" + "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" + "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" + "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" + "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" + "-----END RSA PRIVATE KEY-----\n"; + +static unsigned char cert_der[602] = + "\x30\x82\x02\x56\x30\x82\x01\xc1\xa0\x03\x02\x01\x02\x02\x04\x46" + "\x26\x1d\x31\x30\x0b\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05" + "\x30\x19\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0e\x47\x6e\x75" + "\x54\x4c\x53\x20\x74\x65\x73\x74\x20\x43\x41\x30\x1e\x17\x0d\x30" + "\x37\x30\x34\x31\x38\x31\x33\x32\x39\x32\x31\x5a\x17\x0d\x30\x38" + "\x30\x34\x31\x37\x31\x33\x32\x39\x32\x31\x5a\x30\x37\x31\x1b\x30" + "\x19\x06\x03\x55\x04\x0a\x13\x12\x47\x6e\x75\x54\x4c\x53\x20\x74" + "\x65\x73\x74\x20\x73\x65\x72\x76\x65\x72\x31\x18\x30\x16\x06\x03" + "\x55\x04\x03\x13\x0f\x74\x65\x73\x74\x2e\x67\x6e\x75\x74\x6c\x73" + "\x2e\x6f\x72\x67\x30\x81\x9c\x30\x0b\x06\x09\x2a\x86\x48\x86\xf7" + "\x0d\x01\x01\x01\x03\x81\x8c\x00\x30\x81\x88\x02\x81\x80\xd7\xba" + "\x5c\xaf\xa3\x0c\xf0\x2e\xa9\x27\x56\xaa\x53\x8e\xa8\xeb\x7f\x81" + "\x75\x4c\x6b\x98\xbe\x4a\xea\xb7\x1e\xf8\x4b\xc3\x6a\xc4\xda\x0d" + "\x00\xb8\xea\x4c\x13\x1f\x36\x16\x93\xde\x72\xef\xc6\xa4\x5e\xb2" + "\x6e\xb6\xca\x0a\x88\x55\x75\x90\x96\xed\xa6\x57\xbc\x0c\x3b\x76" + "\x0d\x97\x1e\xbd\xe9\xec\x7f\xd3\xa9\xec\xfb\x85\x64\xa0\x6b\xa0" + "\x48\xce\x77\x7e\x73\x9c\x31\x13\xff\x3d\xc8\xae\xa5\x60\x6e\xd9" + "\xb6\x8c\x5a\x9a\x6f\xb6\xbe\x9f\x6a\xbd\xa7\xf0\xa0\x33\x27\xf5" + "\xb7\x1d\x92\xe5\x96\x9c\x73\x52\xd6\x9f\xd6\xc8\x8e\xb1\x02\x03" + "\x01\x00\x01\xa3\x81\x93\x30\x81\x90\x30\x0c\x06\x03\x55\x1d\x13" + "\x01\x01\xff\x04\x02\x30\x00\x30\x1a\x06\x03\x55\x1d\x11\x04\x13" + "\x30\x11\x82\x0f\x74\x65\x73\x74\x2e\x67\x6e\x75\x74\x6c\x73\x2e" + "\x6f\x72\x67\x30\x13\x06\x03\x55\x1d\x25\x04\x0c\x30\x0a\x06\x08" + "\x2b\x06\x01\x05\x05\x07\x03\x01\x30\x0f\x06\x03\x55\x1d\x0f\x01" + "\x01\xff\x04\x05\x03\x03\x07\xa0\x00\x30\x1d\x06\x03\x55\x1d\x0e" + "\x04\x16\x04\x14\xeb\xc7\x45\x6e\xe5\xf8\x25\xca\x8c\x8d\x83\x0d" + "\x74\xe9\x86\xd4\xdd\x55\xb4\x75\x30\x1f\x06\x03\x55\x1d\x23\x04" + "\x18\x30\x16\x80\x14\xe9\x3c\x1c\xfb\xad\x92\x6e\xe6\x06\xa4\x56" + "\x2c\xa2\xe1\xc0\x53\x27\xc8\xf2\x95\x30\x0b\x06\x09\x2a\x86\x48" + "\x86\xf7\x0d\x01\x01\x05\x03\x81\x81\x00\x68\x51\x0f\x4e\xdf\xbb" + "\x6f\x3b\xc1\xb8\xe7\xfb\xf9\x09\x9e\x41\xc9\xf6\xf6\x44\xfa\x06" + "\xcc\xa1\xd5\x11\xc9\x5d\xff\x0a\x4e\x4e\x50\x45\xfc\x29\xea\x88" + "\x1b\xa7\xde\x09\x41\x67\x0d\x43\xf4\xbb\x60\x31\x47\x82\x50\xf5" + "\x03\x05\x0d\x05\x15\xf0\x77\x7a\xe2\x52\xc3\x27\xb3\x18\x1e\x48" + "\x3c\x58\x05\xf2\x58\x6c\x32\xde\xa2\x13\x41\xb2\xa6\x8f\x0c\x96" + "\xfb\x5d\xa8\xa5\x59\xb3\x10\x29\xf0\x1b\x15\x0f\x1c\x9c\xec\x60" + "\xac\xe2\x8b\x51\x04\x56\x27\x42\xb7\x1f\x25\xd1\x32\x16\xea\x8d" + "\xd2\xc8\x69\x08\x82\xbd\x02\xee\x8b\x3a"; + +const gnutls_datum_t server_key = { server_key_pem, + sizeof(server_key_pem) +}; + +static time_t mytime(time_t * t) +{ + time_t then = 1207000800; + + if (t) + *t = then; + + return then; +} + +static void check_stored_algos(gnutls_x509_crt_t server_crt) +{ + int ret; + char oid[256]; + size_t oid_size; + + oid_size = sizeof(oid); + ret = gnutls_x509_crt_get_signature_oid(server_crt, oid, &oid_size); + if (ret < 0) { + fail("cannot get signature algorithm: %s\n", gnutls_strerror(ret)); + exit(1); + } + + if (strcmp(oid, "1.2.840.113549.1.1.5") != 0) { + fail("detected wrong algorithm OID: %s\n", oid); + exit(1); + } + + ret = gnutls_x509_crt_get_signature_algorithm(server_crt); + if (ret != GNUTLS_SIGN_RSA_SHA1) { + fail("detected wrong algorithm: %s\n", gnutls_sign_get_name(ret)); + exit(1); + } + + /* PK */ + oid_size = sizeof(oid); + ret = gnutls_x509_crt_get_pk_oid(server_crt, oid, &oid_size); + if (ret < 0) { + fail("cannot get PK algorithm: %s\n", gnutls_strerror(ret)); + exit(1); + } + + if (strcmp(oid, "1.2.840.113549.1.1.1") != 0) { + fail("detected wrong PK algorithm OID: %s\n", oid); + exit(1); + } + + ret = gnutls_x509_crt_get_pk_algorithm(server_crt, NULL); + if (ret != GNUTLS_PK_RSA) { + fail("detected wrong PK algorithm: %s\n", gnutls_pk_get_name(ret)); + exit(1); + } + +} + +#define NAME "localhost" +#define NAME_SIZE (sizeof(NAME)-1) +void doit(void) +{ + int ret; + const char *path; + gnutls_datum_t data; + gnutls_x509_crt_t server_crt, ca_crt2; + gnutls_x509_trust_list_t tl; + unsigned int status; + gnutls_typed_vdata_st vdata; + gnutls_digest_algorithm_t hash; + unsigned int mand; + + /* this must be called once in the program + */ + global_init(); + + gnutls_global_set_time_function(mytime); + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + /* test for gnutls_certificate_get_issuer() */ + gnutls_x509_trust_list_init(&tl, 0); + + gnutls_x509_crt_init(&server_crt); + gnutls_x509_crt_init(&ca_crt2); + + path = getenv("X509CERTDIR"); + if (!path) + path = "./x509cert-dir"; + + ret = + gnutls_x509_crt_import(server_crt, &cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("gnutls_x509_crt_import"); + + check_stored_algos(server_crt); + + ret = gnutls_x509_crt_get_preferred_hash_algorithm(server_crt, &hash, &mand); + if (ret < 0) { + fail("error in gnutls_x509_crt_get_preferred_hash_algorithm: %s\n", gnutls_strerror(ret)); + exit(1); + } + + if (mand != 0 || hash != GNUTLS_DIG_SHA256) { + fail("gnutls_x509_crt_get_preferred_hash_algorithm returned: %s/%d\n", gnutls_digest_get_name(hash), mand); + exit(1); + } + + ret = gnutls_x509_crt_import(ca_crt2, &ca, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("gnutls_x509_crt_import"); + + ret = + gnutls_x509_trust_list_add_named_crt(tl, server_crt, NAME, + NAME_SIZE, 0); + if (ret < 0) + fail("gnutls_x509_trust_list_add_named_crt"); + + ret = + gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, + NAME_SIZE, 0, &status, + NULL); + if (ret < 0 || status != 0) + fail("gnutls_x509_trust_list_verify_named_crt: %d\n", + __LINE__); + + ret = + gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, + NAME_SIZE - 1, 0, + &status, NULL); + if (ret < 0 || status == 0) + fail("gnutls_x509_trust_list_verify_named_crt: %d\n", + __LINE__); + + ret = + gnutls_x509_trust_list_verify_named_crt(tl, server_crt, + "other", 5, 0, &status, + NULL); + if (ret < 0 || status == 0) + fail("gnutls_x509_trust_list_verify_named_crt: %d\n", + __LINE__); + + /* check whether the name-only verification works */ + vdata.type = GNUTLS_DT_DNS_HOSTNAME; + vdata.data = (void*)NAME; + vdata.size = NAME_SIZE; + ret = + gnutls_x509_trust_list_verify_crt2(tl, &server_crt, 1, &vdata, 1, + GNUTLS_VERIFY_ALLOW_BROKEN, &status, NULL); + if (ret < 0 || status != 0) + fail("gnutls_x509_trust_list_verify_crt2 - 1: status: %x\n", status); + + vdata.type = GNUTLS_DT_DNS_HOSTNAME; + vdata.data = (void*)NAME; + vdata.size = NAME_SIZE-2; + ret = + gnutls_x509_trust_list_verify_crt2(tl, &server_crt, 1, &vdata, 1, + 0, &status, NULL); + if (ret < 0 || status == 0) + fail("gnutls_x509_trust_list_verify_crt2 - 2: status: %x\n", status); + + + /* check whether the key verification works */ + ret = gnutls_x509_trust_list_add_trust_dir(tl, path, NULL, GNUTLS_X509_FMT_PEM, 0, 0); + if (ret != 1) + fail("gnutls_x509_trust_list_add_trust_dir: %d\n", ret); + + ret = + gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, GNUTLS_VERIFY_ALLOW_BROKEN, + &status, NULL); + if (ret < 0 || status != 0) + fail("gnutls_x509_trust_list_verify_crt\n"); + + + + /* test convenience functions in verify-high2.c */ + data.data = cert_pem; + data.size = strlen((char *) cert_pem); + ret = + gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, + GNUTLS_X509_FMT_PEM, 0, + 0); + if (ret < 1) + fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", + __LINE__, gnutls_strerror(ret)); + + ret = + gnutls_x509_trust_list_remove_trust_mem(tl, &data, + GNUTLS_X509_FMT_PEM); + if (ret < 1) + fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", + __LINE__, gnutls_strerror(ret)); + + data.data = cert_der; + data.size = sizeof(cert_der); + ret = + gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, + GNUTLS_X509_FMT_DER, 0, + 0); + if (ret < 1) + fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", + __LINE__, gnutls_strerror(ret)); + + ret = + gnutls_x509_trust_list_remove_trust_mem(tl, &data, + GNUTLS_X509_FMT_DER); + if (ret < 1) + fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", + __LINE__, gnutls_strerror(ret)); + + ret = gnutls_x509_trust_list_remove_cas(tl, &ca_crt2, 1); + if (ret < 1) + fail("gnutls_x509_trust_list_add_cas"); + + ret = + gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0, + &status, NULL); + if (ret == 0 && status == 0) + fail("gnutls_x509_trust_list_verify_crt\n"); + + gnutls_x509_trust_list_deinit(tl, 1); + gnutls_x509_crt_deinit(ca_crt2); + + gnutls_global_deinit(); + + if (debug) + success("success"); +} |