Use x509_crt_verify_info() in programs
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 57104ca..057b842 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -203,24 +203,16 @@
*/
polarssl_printf( " . Verifying peer X.509 certificate..." );
- /* In real life, we may want to bail out when ret != 0 */
+ /* In real life, we probably want to bail out when ret != 0 */
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
polarssl_printf( " failed\n" );
- if( ( ret & BADCERT_EXPIRED ) != 0 )
- polarssl_printf( " ! server certificate has expired\n" );
+ x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & BADCERT_REVOKED ) != 0 )
- polarssl_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
- polarssl_printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
-
- if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- polarssl_printf( "\n" );
+ polarssl_printf( "%s\n", vrfy_buf );
}
else
polarssl_printf( " ok\n" );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index da3dba7..cdadf59 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -350,29 +350,13 @@
x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
polarssl_printf( "%s", buf );
- if( ( (*flags) & BADCERT_EXPIRED ) != 0 )
- polarssl_printf( " ! server certificate has expired\n" );
-
- if( ( (*flags) & BADCERT_REVOKED ) != 0 )
- polarssl_printf( " ! server certificate has been revoked\n" );
-
- if( ( (*flags) & BADCERT_CN_MISMATCH ) != 0 )
- polarssl_printf( " ! CN mismatch\n" );
-
- if( ( (*flags) & BADCERT_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- if( ( (*flags) & BADCRL_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! CRL not trusted\n" );
-
- if( ( (*flags) & BADCRL_EXPIRED ) != 0 )
- polarssl_printf( " ! CRL expired\n" );
-
- if( ( (*flags) & BADCERT_OTHER ) != 0 )
- polarssl_printf( " ! other (unknown) flag\n" );
-
if ( ( *flags ) == 0 )
polarssl_printf( " This certificate has no flags\n" );
+ else
+ {
+ x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
+ polarssl_printf( "%s\n", buf );
+ }
return( 0 );
}
@@ -1142,21 +1126,13 @@
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
polarssl_printf( " failed\n" );
- if( ( ret & BADCERT_EXPIRED ) != 0 )
- polarssl_printf( " ! server certificate has expired\n" );
+ x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & BADCERT_REVOKED ) != 0 )
- polarssl_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
- polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
-
- if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- polarssl_printf( "\n" );
+ polarssl_printf( "%s\n", vrfy_buf );
}
else
polarssl_printf( " ok\n" );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 2b2d493..fcda1dd 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -169,7 +169,7 @@
}
}
-static int do_handshake( ssl_context *ssl, struct options *opt )
+static int do_handshake( ssl_context *ssl )
{
int ret;
unsigned char buf[1024];
@@ -201,24 +201,16 @@
*/
polarssl_printf( " . Verifying peer X.509 certificate..." );
- /* In real life, we may want to bail out when ret != 0 */
+ /* In real life, we probably want to bail out when ret != 0 */
if( ( ret = ssl_get_verify_result( ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
polarssl_printf( " failed\n" );
- if( ( ret & BADCERT_EXPIRED ) != 0 )
- polarssl_printf( " ! server certificate has expired\n" );
+ x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & BADCERT_REVOKED ) != 0 )
- polarssl_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
- polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt->server_name );
-
- if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- polarssl_printf( "\n" );
+ polarssl_printf( "%s\n", vrfy_buf );
}
else
polarssl_printf( " ok\n" );
@@ -638,7 +630,7 @@
if( opt.mode == MODE_SSL_TLS )
{
- if( do_handshake( &ssl, &opt ) != 0 )
+ if( do_handshake( &ssl ) != 0 )
goto exit;
polarssl_printf( " > Get header from server:" );
@@ -707,7 +699,7 @@
polarssl_printf(" ok\n" );
- if( do_handshake( &ssl, &opt ) != 0 )
+ if( do_handshake( &ssl ) != 0 )
goto exit;
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index d1bc36e..095fabd 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1626,21 +1626,13 @@
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
polarssl_printf( " failed\n" );
- if( !ssl_get_peer_cert( &ssl ) )
- polarssl_printf( " ! no client certificate sent\n" );
+ x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & BADCERT_EXPIRED ) != 0 )
- polarssl_printf( " ! client certificate has expired\n" );
-
- if( ( ret & BADCERT_REVOKED ) != 0 )
- polarssl_printf( " ! client certificate has been revoked\n" );
-
- if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- polarssl_printf( "\n" );
+ polarssl_printf( "%s\n", vrfy_buf );
}
else
polarssl_printf( " ok\n" );
diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index d823964..a212730 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@@ -173,19 +173,14 @@
{
if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
{
- if( flags & BADCERT_CN_MISMATCH )
- polarssl_printf( " CN_MISMATCH " );
- if( flags & BADCERT_EXPIRED )
- polarssl_printf( " EXPIRED " );
- if( flags & BADCERT_REVOKED )
- polarssl_printf( " REVOKED " );
- if( flags & BADCERT_NOT_TRUSTED )
- polarssl_printf( " NOT_TRUSTED " );
- if( flags & BADCRL_NOT_TRUSTED )
- polarssl_printf( " CRL_NOT_TRUSTED " );
- if( flags & BADCRL_EXPIRED )
- polarssl_printf( " CRL_EXPIRED " );
- } else {
+ char vrfy_buf[512];
+
+ polarssl_printf( " failed\n" );
+ x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ polarssl_printf( "%s\n", vrfy_buf );
+ }
+ else
+ {
polarssl_printf( " failed\n ! x509_crt_verify returned %d\n\n", ret );
goto exit;
}
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 72f69ba..3a6ae87 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -128,29 +128,13 @@
x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
polarssl_printf( "%s", buf );
- if( ( (*flags) & BADCERT_EXPIRED ) != 0 )
- polarssl_printf( " ! server certificate has expired\n" );
-
- if( ( (*flags) & BADCERT_REVOKED ) != 0 )
- polarssl_printf( " ! server certificate has been revoked\n" );
-
- if( ( (*flags) & BADCERT_CN_MISMATCH ) != 0 )
- polarssl_printf( " ! CN mismatch\n" );
-
- if( ( (*flags) & BADCERT_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- if( ( (*flags) & BADCRL_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! CRL not trusted\n" );
-
- if( ( (*flags) & BADCRL_EXPIRED ) != 0 )
- polarssl_printf( " ! CRL expired\n" );
-
- if( ( (*flags) & BADCERT_OTHER ) != 0 )
- polarssl_printf( " ! other (unknown) flag\n" );
-
if ( ( *flags ) == 0 )
polarssl_printf( " This certificate has no flags\n" );
+ else
+ {
+ x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
+ polarssl_printf( "%s\n", buf );
+ }
return( 0 );
}
@@ -358,21 +342,13 @@
if( ( ret = x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags,
my_verify, NULL ) ) != 0 )
{
+ char vrfy_buf[512];
+
polarssl_printf( " failed\n" );
- if( ( ret & BADCERT_EXPIRED ) != 0 )
- polarssl_printf( " ! server certificate has expired\n" );
+ x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & BADCERT_REVOKED ) != 0 )
- polarssl_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
- polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
-
- if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
- polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- polarssl_printf( "\n" );
+ polarssl_printf( "%s\n", vrfy_buf );
}
else
polarssl_printf( " ok\n" );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 63c0a23..75c5942 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1338,7 +1338,7 @@
"$P_CLI debug_level=1 auth_mode=required" \
1 \
-c "x509_verify_cert() returned" \
- -c "! self-signed or not signed by a trusted CA" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
-c "! ssl_handshake returned" \
-c "X509 - Certificate verification failed"
@@ -1348,7 +1348,7 @@
"$P_CLI debug_level=1 auth_mode=optional" \
0 \
-c "x509_verify_cert() returned" \
- -c "! self-signed or not signed by a trusted CA" \
+ -c "! The certificate is not correctly signed by the trusted CA" \
-C "! ssl_handshake returned" \
-C "X509 - Certificate verification failed"
@@ -1358,7 +1358,7 @@
"$P_CLI debug_level=1 auth_mode=none" \
0 \
-C "x509_verify_cert() returned" \
- -C "! self-signed or not signed by a trusted CA" \
+ -C "! The certificate is not correctly signed by the trusted CA" \
-C "! ssl_handshake returned" \
-C "X509 - Certificate verification failed"
@@ -1374,7 +1374,7 @@
-C "skip write certificate verify" \
-S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \
- -S "! self-signed or not signed by a trusted CA" \
+ -S "! The certificate is not correctly signed by the trusted CA" \
-s "! ssl_handshake returned" \
-c "! ssl_handshake returned" \
-s "X509 - Certificate verification failed"
@@ -1391,7 +1391,7 @@
-C "skip write certificate verify" \
-S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \
- -s "! self-signed or not signed by a trusted CA" \
+ -s "! The certificate is not correctly signed by the trusted CA" \
-S "! ssl_handshake returned" \
-C "! ssl_handshake returned" \
-S "X509 - Certificate verification failed"
@@ -1408,7 +1408,7 @@
-c "skip write certificate verify" \
-s "skip parse certificate verify" \
-S "x509_verify_cert() returned" \
- -S "! self-signed or not signed by a trusted CA" \
+ -S "! The certificate is not correctly signed by the trusted CA" \
-S "! ssl_handshake returned" \
-C "! ssl_handshake returned" \
-S "X509 - Certificate verification failed"
@@ -1425,7 +1425,7 @@
-S "SSLv3 client has no certificate" \
-c "skip write certificate verify" \
-s "skip parse certificate verify" \
- -s "! no client certificate sent" \
+ -s "! Certificate was missing" \
-S "! ssl_handshake returned" \
-C "! ssl_handshake returned" \
-S "X509 - Certificate verification failed"
@@ -1436,7 +1436,7 @@
0 \
-S "skip write certificate request" \
-s "skip parse certificate verify" \
- -s "! no client certificate sent" \
+ -s "! Certificate was missing" \
-S "! ssl_handshake returned" \
-S "X509 - Certificate verification failed"
@@ -1462,7 +1462,7 @@
-c "got no certificate to send" \
-s "SSLv3 client has no certificate" \
-s "skip parse certificate verify" \
- -s "! no client certificate sent" \
+ -s "! Certificate was missing" \
-S "! ssl_handshake returned" \
-C "! ssl_handshake returned" \
-S "X509 - Certificate verification failed"