projects / claws.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Implement saving of the certificate chain, making the offline status
[claws.git] / src / common / ssl_certificate.c
diff --git a/src/common/ssl_certificate.c b/src/common/ssl_certificate.c
index baf533ca535b4e079b40e1ac8eb91e85a0f46536..b48d4d4b9dad2170495ffbfc3a13423021ac0fe7 100644 (file)
--- a/src/common/ssl_certificate.c
+++ b/src/common/ssl_certificate.c
@@ -20,6 +20,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include "config.h"
+#include "claws-features.h"
 #endif
 
 #ifdef USE_GNUTLS
@@ -33,6 +34,7 @@
 #include <stdio.h>
 #include <glib.h>
 #include <glib/gi18n.h>
+#include <errno.h>
 #ifdef G_OS_WIN32
 #  include <winsock2.h>
 #else
@@ -63,6 +65,16 @@ static gchar *get_certificate_path(const gchar *host, const gchar *port, const g
                          host, ".", port, ".cert", NULL);
 }
 
+static gchar *get_certificate_chain_path(const gchar *host, const gchar *port, const gchar *fp)
+{
+       gchar *tmp = get_certificate_path(host, port, fp);
+       gchar *result = g_strconcat(tmp, ".chain", NULL);
+
+       g_free(tmp);
+
+       return result;
+}
+
 char * readable_fingerprint(unsigned char *src, int len) 
 {
        int i=0;
@@ -86,12 +98,13 @@ char * readable_fingerprint(unsigned char *src, int len)
 }
 
 #if USE_GNUTLS
-static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
+static gnutls_x509_crt_t x509_crt_copy(gnutls_x509_crt_t src)
 {
     int ret;
     size_t size;
-    gnutls_datum tmp;
-    gnutls_x509_crt dest;
+    gnutls_datum_t tmp;
+    gnutls_x509_crt_t dest;
+    size = 0;
     
     if (gnutls_x509_crt_init(&dest) != 0) {
        g_warning("couldn't gnutls_x509_crt_init\n");
@@ -127,7 +140,7 @@ static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
 }
 #endif
 
-static SSLCertificate *ssl_certificate_new(gnutls_x509_crt x509_cert, const gchar *host, gushort port)
+static SSLCertificate *ssl_certificate_new(gnutls_x509_crt_t x509_cert, const gchar *host, gushort port)
 {
        SSLCertificate *cert = g_new0(SSLCertificate, 1);
        size_t n;
@@ -149,24 +162,24 @@ static SSLCertificate *ssl_certificate_new(gnutls_x509_crt x509_cert, const gcha
        return cert;
 }
 
-#ifdef USE_GNUTLS
-static void gnutls_i2d_X509_fp(FILE *fp, gnutls_x509_crt x509_cert)
+static void gnutls_export_X509_fp(FILE *fp, gnutls_x509_crt_t x509_cert, gnutls_x509_crt_fmt_t format)
 {
        char output[10*1024];
        size_t cert_size = 10*1024;
        int r;
        
-       if ((r = gnutls_x509_crt_export(x509_cert, GNUTLS_X509_FMT_DER, output, &cert_size)) < 0) {
+       if ((r = gnutls_x509_crt_export(x509_cert, format, output, &cert_size)) < 0) {
                g_warning("couldn't export cert %s (%zd)\n", gnutls_strerror(r), cert_size);
                return;
        }
+
        debug_print("writing %zd bytes\n",cert_size);
        if (fwrite(&output, 1, cert_size, fp) < cert_size) {
-               g_warning("failed to write cert\n");
+               g_warning("failed to write cert: %d %s\n", errno, strerror(errno));
        }
 }
 
-size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output)
+size_t gnutls_i2d_X509(gnutls_x509_crt_t x509_cert, unsigned char **output)
 {
        size_t cert_size = 10*1024;
        int r;
@@ -185,7 +198,7 @@ size_t gnutls_i2d_X509(gnutls_x509_crt x509_cert, unsigned char **output)
        return cert_size;
 }
 
-size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output)
+size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey_t pkey, unsigned char **output)
 {
        size_t key_size = 10*1024;
        int r;
@@ -204,40 +217,81 @@ size_t gnutls_i2d_PrivateKey(gnutls_x509_privkey pkey, unsigned char **output)
        return key_size;
 }
 
-static gnutls_x509_crt gnutls_d2i_X509_fp(FILE *fp, int format)
+static int gnutls_import_X509_list_fp(FILE *fp, gnutls_x509_crt_fmt_t format,
+                                  gnutls_x509_crt_t **cert_list, gint *num_certs)
 {
-       gnutls_x509_crt cert = NULL;
-       gnutls_datum tmp;
+       gnutls_x509_crt_t *crt_list;
+       unsigned int max = 512;
+       unsigned int flags = 0;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
+
+       *cert_list = NULL;
+       *num_certs = 0;
+
+       if (fp == NULL)
+               return -ENOENT;
+
        if (fstat(fileno(fp), &s) < 0) {
                perror("fstat");
-               return NULL;
+               return -errno;
        }
+
+       crt_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
        tmp.data = malloc(s.st_size);
        memset(tmp.data, 0, s.st_size);
        tmp.size = s.st_size;
        if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
                perror("fread");
                free(tmp.data);
-               return NULL;
+               free(crt_list);
+               return -EIO;
        }
 
-       gnutls_x509_crt_init(&cert);
-       if ((r = gnutls_x509_crt_import(cert, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {
+       if ((r = gnutls_x509_crt_list_import(crt_list, &max, 
+                       &tmp, format, flags)) < 0) {
                debug_print("cert import failed: %s\n", gnutls_strerror(r));
-               gnutls_x509_crt_deinit(cert);
-               cert = NULL;
+               free(tmp.data);
+               free(crt_list);
+               return r;
        }
        free(tmp.data);
-       debug_print("got cert! %p\n", cert);
+       debug_print("got %d certs in crt_list! %p\n", max, &crt_list);
+
+       *cert_list = crt_list;
+       *num_certs = max;
+
+       return r;
+}
+
+/* return one certificate, read from file */
+static gnutls_x509_crt_t gnutls_import_X509_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
+{
+       gnutls_x509_crt_t *certs = NULL;
+       gnutls_x509_crt_t cert = NULL;
+       int i, ncerts, r;
+
+       if ((r = gnutls_import_X509_list_fp(fp, format, &certs, &ncerts)) < 0) {
+               return NULL;
+       }
+
+       if (ncerts == 0)
+               return NULL;
+
+       for (i = 1; i < ncerts; i++)
+               gnutls_x509_crt_deinit(certs[i]);
+
+       cert = certs[0];
+       free(certs);
+
        return cert;
 }
 
-static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
+static gnutls_x509_privkey_t gnutls_import_key_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 {
-       gnutls_x509_privkey key = NULL;
-       gnutls_datum tmp;
+       gnutls_x509_privkey_t key = NULL;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
        if (fstat(fileno(fp), &s) < 0) {
@@ -254,7 +308,7 @@ static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
        }
 
        gnutls_x509_privkey_init(&key);
-       if ((r = gnutls_x509_privkey_import(key, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM)) < 0) {
+       if ((r = gnutls_x509_privkey_import(key, &tmp, format)) < 0) {
                debug_print("key import failed: %s\n", gnutls_strerror(r));
                gnutls_x509_privkey_deinit(key);
                key = NULL;
@@ -264,29 +318,32 @@ static gnutls_x509_privkey gnutls_d2i_key_fp(FILE *fp, int format)
        return key;
 }
 
-static gnutls_pkcs12_t gnutls_d2i_PKCS12_fp(FILE *fp, int format)
+static gnutls_pkcs12_t gnutls_import_PKCS12_fp(FILE *fp, gnutls_x509_crt_fmt_t format)
 {
        gnutls_pkcs12_t p12 = NULL;
-       gnutls_datum tmp;
+       gnutls_datum_t tmp;
        struct stat s;
        int r;
        if (fstat(fileno(fp), &s) < 0) {
-               perror("fstat");
+               log_error(LOG_PROTOCOL, _("Cannot stat P12 certificate file (%s)\n"),
+                                 strerror(errno));
                return NULL;
        }
        tmp.data = malloc(s.st_size);
        memset(tmp.data, 0, s.st_size);
        tmp.size = s.st_size;
        if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
-               perror("fread");
+               log_error(LOG_PROTOCOL, _("Cannot read P12 certificate file (%s)\n"),
+                                 strerror(errno));
                free(tmp.data);
                return NULL;
        }
 
        gnutls_pkcs12_init(&p12);
 
-       if ((r = gnutls_pkcs12_import(p12, &tmp, (format == 0)?GNUTLS_X509_FMT_DER:GNUTLS_X509_FMT_PEM,0)) < 0) {
-               g_warning("p12 import failed: %s\n", gnutls_strerror(r));
+       if ((r = gnutls_pkcs12_import(p12, &tmp, format, 0)) < 0) {
+               log_error(LOG_PROTOCOL, _("Cannot import P12 certificate file (%s)\n"),
+                                 gnutls_strerror(r));
                gnutls_pkcs12_deinit(p12);
                p12 = NULL;
        }
@@ -295,8 +352,6 @@ static gnutls_pkcs12_t gnutls_d2i_PKCS12_fp(FILE *fp, int format)
        return p12;
 }
 
-#endif
-
 static void ssl_certificate_save (SSLCertificate *cert)
 {
        gchar *file, *port;
@@ -319,11 +374,9 @@ static void ssl_certificate_save (SSLCertificate *cert)
                debug_print("Can't save certificate !\n");
                return;
        }
-#ifdef USE_GNUTLS
-       gnutls_i2d_X509_fp(fp, cert->x509_cert);
-#else
-       i2d_X509_fp(fp, cert->x509_cert);
-#endif
+
+       gnutls_export_X509_fp(fp, cert->x509_cert, GNUTLS_X509_FMT_DER);
+
        g_free(file);
        fclose(fp);
 
@@ -350,6 +403,9 @@ void ssl_certificate_delete_from_disk(SSLCertificate *cert)
        file = get_certificate_path(cert->host, buf, cert->fingerprint);
        claws_unlink (file);
        g_free(file);
+       file = get_certificate_chain_path(cert->host, buf, cert->fingerprint);
+       claws_unlink (file);
+       g_free(file);
        g_free(buf);
 }
 
@@ -358,7 +414,7 @@ SSLCertificate *ssl_certificate_find (const gchar *host, gushort port, const gch
        gchar *file = NULL;
        gchar *buf;
        SSLCertificate *cert = NULL;
-       gnutls_x509_crt tmp_x509;
+       gnutls_x509_crt_t tmp_x509;
        FILE *fp = NULL;
        gboolean must_rename = FALSE;
 
@@ -388,11 +444,12 @@ SSLCertificate *ssl_certificate_find (const gchar *host, gushort port, const gch
                return NULL;
        }
        
-       if ((tmp_x509 = gnutls_d2i_X509_fp(fp, 0)) != NULL) {
+       if ((tmp_x509 = gnutls_import_X509_fp(fp, GNUTLS_X509_FMT_DER)) != NULL) {
                cert = ssl_certificate_new(tmp_x509, host, port);
                debug_print("got cert %p\n", cert);
                gnutls_x509_crt_deinit(tmp_x509);
        }
+
        fclose(fp);
        g_free(file);
        
@@ -463,15 +520,15 @@ static gboolean ssl_certificate_compare (SSLCertificate *cert_a, SSLCertificate
        return TRUE;
 }
 
-static guint check_cert(gnutls_x509_crt cert)
+static guint check_cert(SSLCertificate *cert)
 {
-       gnutls_x509_crt *ca_list;
-       unsigned int max = 512;
+       gnutls_x509_crt_t *ca_list = NULL;
+       gnutls_x509_crt_t *chain = NULL;
+       unsigned int max_ca = 512, max_certs;
        unsigned int flags = 0;
-       gnutls_datum tmp;
-       struct stat s;
        int r, i;
        unsigned int status;
+       gchar *chain_file = NULL, *buf = NULL;
        FILE *fp;
 
        if (claws_ssl_get_cert_file())
@@ -479,38 +536,63 @@ static guint check_cert(gnutls_x509_crt cert)
        else
                return (guint)-1;
 
-       if (fstat(fileno(fp), &s) < 0) {
-               perror("fstat");
+       if ((r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &ca_list, &max_ca)) < 0) {
+               debug_print("CA import failed: %s\n", gnutls_strerror(r));
                fclose(fp);
                return (guint)-1;
        }
-
-       ca_list=(gnutls_x509_crt_t*)malloc(max*sizeof(gnutls_x509_crt_t));
-       tmp.data = malloc(s.st_size);
-       memset(tmp.data, 0, s.st_size);
-       tmp.size = s.st_size;
-       if (fread (tmp.data, 1, s.st_size, fp) < s.st_size) {
-               perror("fread");
-               free(tmp.data);
-               free(ca_list);
+       fclose(fp);
+       fp = NULL;
+       
+       buf = g_strdup_printf("%d", cert->port);
+       chain_file = get_certificate_chain_path(cert->host, buf, cert->fingerprint);
+       g_free(buf);
+       if (is_file_exist(chain_file)) {
+               unsigned char md[128];
+               size_t n;
+               char *fingerprint;
+
+               fp = g_fopen(chain_file, "r");
+               if ((r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &chain, &max_certs)) < 0) {
+                       debug_print("chain import failed: %s\n", gnutls_strerror(r));
+                       fclose(fp);
+                       g_free(chain_file);
+                       return (guint)-1;
+               }
+               g_free(chain_file);
                fclose(fp);
-               return (guint)-1;
-       }
+               fp = NULL;
+
+               gnutls_x509_crt_get_fingerprint(chain[0], GNUTLS_DIG_MD5, md, &n);
+               fingerprint = readable_fingerprint(md, n);
+               if (!fingerprint || strcmp(fingerprint, cert->fingerprint)) {
+                       debug_print("Saved chain fingerprint does not match current : %s / %s",
+                               cert->fingerprint, fingerprint);
+                               
+                       return (guint)-1;
+               }
+               g_free(fingerprint);
 
-       if ((r = gnutls_x509_crt_list_import(ca_list, &max, 
-                       &tmp, GNUTLS_X509_FMT_PEM, flags)) < 0) {
-               debug_print("cert import failed: %s\n", gnutls_strerror(r));
-               free(tmp.data);
-               free(ca_list);
-               fclose(fp);
-               return (guint)-1;
+               r = gnutls_x509_crt_list_verify (chain,
+                                    max_certs,
+                                    ca_list, max_ca,
+                                    NULL, 0,
+                                    GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+                                    &status);
+               if (r < 0)
+                       debug_print("chain check failed: %s\n", gnutls_strerror(r));
+
+               for (i = 0; i < max_certs; i++)
+                       gnutls_x509_crt_deinit(chain[i]);
+               free(chain);
+
+       } else {
+               r = gnutls_x509_crt_verify(cert->x509_cert, ca_list, max_ca, flags, &status);
+               if (r < 0)
+                       debug_print("cert check failed: %s\n", gnutls_strerror(r));
        }
-       free(tmp.data);
-       debug_print("got %d certs in ca_list! %p\n", max, &ca_list);
-       r = gnutls_x509_crt_verify(cert, ca_list, max, flags, &status);
-       fclose(fp);
 
-       for (i = 0; i < max; i++)
+       for (i = 0; i < max_ca; i++)
                gnutls_x509_crt_deinit(ca_list[i]);
        free(ca_list);
 
@@ -521,15 +603,20 @@ static guint check_cert(gnutls_x509_crt cert)
 
 }
 
-char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status) 
+char *ssl_certificate_check_signer (SSLCertificate *cert, guint status) 
 {
+       gnutls_x509_crt_t x509_cert = cert ? cert->x509_cert : NULL;
+
+       if (!cert) 
+               return g_strdup(_("Internal error"));
+
        if (status == (guint)-1) {
                status = check_cert(cert);
                if (status == -1)
                        return g_strdup(_("Uncheckable"));
        }
        if (status & GNUTLS_CERT_INVALID) {
-               if (gnutls_x509_crt_check_issuer(cert, cert))
+               if (gnutls_x509_crt_check_issuer(x509_cert, x509_cert))
                        return g_strdup(_("Self-signed certificate"));
        }
        if (status & GNUTLS_CERT_REVOKED)
@@ -543,7 +630,44 @@ char *ssl_certificate_check_signer (gnutls_x509_crt cert, guint status)
        return NULL;
 }
 
-gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, const gchar *host, gushort port)
+static void ssl_certificate_save_chain(gnutls_x509_crt_t *certs, gint len, const gchar *host, gushort port)
+{
+       gint i;
+       gchar *file = NULL;
+       FILE *fp = NULL;
+       
+       for (i = 0; i < len; i++) {
+               size_t n;
+               unsigned char md[128];  
+               gnutls_x509_crt_t cert = certs[i];
+               gchar *fingerprint;
+
+               if (i == 0) {
+                       gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_MD5, md, &n);
+                       fingerprint = readable_fingerprint(md, n);
+                       gchar *buf = g_strdup_printf("%d", port);
+
+                       file = get_certificate_chain_path(host, buf, fingerprint);
+
+                       g_free(buf);
+
+                       fp = g_fopen(file, "wb");
+                       if (fp == NULL) {
+                               g_free(file);
+                               debug_print("Can't save certificate !\n");
+                               return;
+                       }
+                       g_free(file);
+               }
+
+               gnutls_export_X509_fp(fp, cert, GNUTLS_X509_FMT_PEM);
+
+       }
+       if (fp)
+               fclose(fp);
+}
+
+gboolean ssl_certificate_check (gnutls_x509_crt_t x509_cert, guint status, const gchar *host, gushort port)
 {
        SSLCertificate *current_cert = NULL;
        SSLCertificate *known_cert;
@@ -641,40 +765,94 @@ gboolean ssl_certificate_check (gnutls_x509_crt x509_cert, guint status, const g
        return TRUE;
 }
 
-gnutls_x509_crt ssl_certificate_get_x509_from_pem_file(const gchar *file)
+gboolean ssl_certificate_check_chain(gnutls_x509_crt_t *certs, gint chain_len, const gchar *host, gushort port)
+{
+       int ncas = 0;
+       gnutls_x509_crt_t *cas = NULL;
+       gboolean result = FALSE;
+       int i;
+       gint status;
+
+       if (claws_ssl_get_cert_file()) {
+               FILE *fp = g_fopen(claws_ssl_get_cert_file(), "rb");
+               int r = -errno;
+
+               if (fp) {
+                       r = gnutls_import_X509_list_fp(fp, GNUTLS_X509_FMT_PEM, &cas, &ncas);
+                       fclose(fp);
+               }
+
+               if (r < 0)
+                       g_warning("Can't read SSL_CERT_FILE %s: %s\n",
+                               claws_ssl_get_cert_file(), 
+                               gnutls_strerror(r));
+       } else {
+               debug_print("Can't find SSL ca-certificates file\n");
+       }
+
+
+       gnutls_x509_crt_list_verify (certs,
+                             chain_len,
+                             cas, ncas,
+                             NULL, 0,
+                             GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
+                             &status);
+
+       result = ssl_certificate_check(certs[0], status, host, port);
+
+       if (result == TRUE) {
+               ssl_certificate_save_chain(certs, chain_len, host, port);
+       }
+
+       for (i = 0; i < ncas; i++)
+               gnutls_x509_crt_deinit(cas[i]);
+       free(cas);
+
+       return result;
+}
+
+gnutls_x509_crt_t ssl_certificate_get_x509_from_pem_file(const gchar *file)
 {
-       gnutls_x509_crt x509 = NULL;
+       gnutls_x509_crt_t x509 = NULL;
        if (!file)
                return NULL;
        
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       x509 = gnutls_d2i_X509_fp(fp, 1);
+                       x509 = gnutls_import_X509_fp(fp, GNUTLS_X509_FMT_PEM);
                        fclose(fp);
                        return x509;
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open certificate file %s: %s\n"),
+                                 file, strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, _("Cannot open certificate file %s\n"), file);
+               log_error(LOG_PROTOCOL, _("Certificate file %s missing (%s)\n"),
+                         file, strerror(errno));
        }
        return NULL;
 }
 
-gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file)
+gnutls_x509_privkey_t ssl_certificate_get_pkey_from_pem_file(const gchar *file)
 {
-       gnutls_x509_privkey key = NULL;
+       gnutls_x509_privkey_t key = NULL;
        if (!file)
                return NULL;
        
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       key = gnutls_d2i_key_fp(fp, 1);
+                       key = gnutls_import_key_fp(fp, GNUTLS_X509_FMT_PEM);
                        fclose(fp);
                        return key;
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open key file %s (%s)\n"),
+                       file, strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, _("Cannot open key file %s\n"), file);
+               log_error(LOG_PROTOCOL, _("Key file %s missing (%s)\n"), file,
+                         strerror(errno));
        }
        return NULL;
 }
@@ -683,7 +861,7 @@ gnutls_x509_privkey ssl_certificate_get_pkey_from_pem_file(const gchar *file)
 static int
 parse_pkcs12 (gnutls_pkcs12_t p12,
              const char *password,
-             gnutls_x509_privkey * key,
+             gnutls_x509_privkey_t * key,
              gnutls_x509_crt_t * cert)
 {
   gnutls_pkcs12_bag_t bag = NULL;
@@ -734,7 +912,7 @@ parse_pkcs12 (gnutls_pkcs12_t p12,
       for (i = 0; i < elements_in_bag; i++)
        {
          int type;
-         gnutls_datum data;
+         gnutls_datum_t data;
 
          type = gnutls_pkcs12_bag_get_type (bag, i);
          if (type < 0)
@@ -804,7 +982,7 @@ done:
   return ret;
 }
 void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gchar *password,
-                       gnutls_x509_crt *x509, gnutls_x509_privkey *pkey)
+                       gnutls_x509_crt_t *x509, gnutls_x509_privkey_t *pkey)
 {
        gnutls_pkcs12_t p12 = NULL;
 
@@ -818,11 +996,18 @@ void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gc
        if (is_file_exist(file)) {
                FILE *fp = g_fopen(file, "r");
                if (fp) {
-                       p12 = gnutls_d2i_PKCS12_fp(fp, 0);
+                       p12 = gnutls_import_PKCS12_fp(fp, GNUTLS_X509_FMT_DER);
                        fclose(fp);
+                       if (!p12) {
+                               log_error(LOG_PROTOCOL, _("Failed to read P12 certificate file %s\n"), file);
+                       }
+               } else {
+                       log_error(LOG_PROTOCOL, _("Cannot open P12 certificate file %s (%s)\n"),
+                                 file, strerror(errno));
                }
        } else {
-               log_error(LOG_PROTOCOL, _("Cannot open certificate file %s\n"), file);
+               log_error(LOG_PROTOCOL, _("P12 Certificate file %s missing (%s)\n"), file,
+                         strerror(errno));
        }
        if (p12 != NULL) {
                if ((r = parse_pkcs12(p12, password, pkey, x509)) == 0) {
@@ -833,4 +1018,22 @@ void ssl_certificate_get_x509_and_pkey_from_p12_file(const gchar *file, const gc
                gnutls_pkcs12_deinit(p12);
        }
 }
+
+gboolean ssl_certificate_check_subject_cn(SSLCertificate *cert)
+{
+       return gnutls_x509_crt_check_hostname(cert->x509_cert, cert->host) != 0;
+}
+
+gchar *ssl_certificate_get_subject_cn(SSLCertificate *cert)
+{
+       gchar subject_cn[BUFFSIZE];
+       size_t n = BUFFSIZE;
+
+       if(gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
+               GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_cn, &n))
+               strncpy(subject_cn, _("<not in certificate>"), BUFFSIZE);
+
+       return g_strdup(subject_cn);
+}
+
 #endif /* USE_GNUTLS */
Claws Mail