+
+static int peerValidateServer(int ok_so_far, X509* cert, void *ca_ctx)
+{
+ const char *realm = NULL;
+ unsigned char *cert_bytes = NULL;
+ int cert_len;
+ unsigned char hash[32];
+ int hash_len;
+ MoonshotError *error = NULL;
+ struct eap_peer_config *eap_config = (struct eap_peer_config *) ca_ctx;
+ char *identity = strdup((const char *) eap_config->identity);
+
+ // Truncate the identity to just the username
+ char* at = strchr(identity, '@');
+ if (at != NULL) {
+ *at = '\0';
+ }
+
+ cert_len = cert_to_byte_array(cert, &cert_bytes);
+ hash_len = sha256(cert_bytes, cert_len, hash);
+ GSSEAP_FREE(cert_bytes);
+
+ if (hash_len != 32) {
+ printf("peerValidateServer: Error: hash_len=%d, not 32!\n", hash_len);
+ return FALSE;
+ }
+
+ /* This is ugly, but it works -- anonymous_identity is '@' + realm
+ * (see peerConfigInit)
+ */
+ realm = ((char *) eap_config->anonymous_identity) + 1;
+
+ ok_so_far = moonshot_confirm_ca_certificate(identity, realm, hash, 32, &error);
+ free(identity);
+
+ printf("peerValidateServer: Returning %d\n", ok_so_far);
+ return ok_so_far;
+}
+
+