typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE,
+ OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
+ OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
OPT_V_ENUM, OPT_NAMEOPT,
OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID
} OPTION_CHOICE;
const OPTIONS verify_options[] = {
- {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},
- {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+ {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
+
+ OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
{"verbose", OPT_VERBOSE, '-',
"Print extra information about the operations being performed."},
+ {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+
+ OPT_SECTION("Certificate chain"),
{"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"},
{"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},
+ {"CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates store"},
{"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"},
{"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},
{"CRLfile", OPT_CRLFILE, '<',
"Attempt to download CRL information for this certificate"},
{"show_chain", OPT_SHOW_CHAIN, '-',
"Display information about the certificate chain"},
- {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+
OPT_V_OPTIONS,
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
#ifndef OPENSSL_NO_SM2
{"sm2-id", OPT_SM2ID, 's',
"Specify an ID string to verify an SM2 certificate"},
{"sm2-hex-id", OPT_SM2HEXID, 's',
"Specify a hex ID string to verify an SM2 certificate"},
#endif
+
+ OPT_PARAMETERS(),
+ {"cert", 0, 0, "Certificate(s) to verify (optional; stdin used otherwise)"},
{NULL}
};
STACK_OF(X509_CRL) *crls = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
- const char *prog, *CApath = NULL, *CAfile = NULL;
- int noCApath = 0, noCAfile = 0;
+ const char *prog, *CApath = NULL, *CAfile = NULL, *CAstore = NULL;
+ int noCApath = 0, noCAfile = 0, noCAstore = 0;
int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
OPTION_CHOICE o;
unsigned char *sm2_id = NULL;
goto end;
case OPT_HELP:
opt_help(verify_options);
- BIO_printf(bio_err, "Recognized usages:\n");
+ BIO_printf(bio_err, "\nRecognized certificate chain purposes:\n");
for (i = 0; i < X509_PURPOSE_get_count(); i++) {
- X509_PURPOSE *ptmp;
- ptmp = X509_PURPOSE_get0(i);
- BIO_printf(bio_err, "\t%-10s\t%s\n",
+ X509_PURPOSE *ptmp = X509_PURPOSE_get0(i);
+
+ BIO_printf(bio_err, " %-15s %s\n",
X509_PURPOSE_get0_sname(ptmp),
X509_PURPOSE_get0_name(ptmp));
}
- BIO_printf(bio_err, "Recognized verify names:\n");
+ BIO_printf(bio_err, "Recognized certificate policy names:\n");
for (i = 0; i < X509_VERIFY_PARAM_get_count(); i++) {
- const X509_VERIFY_PARAM *vptmp;
- vptmp = X509_VERIFY_PARAM_get0(i);
- BIO_printf(bio_err, "\t%-10s\n",
+ const X509_VERIFY_PARAM *vptmp = X509_VERIFY_PARAM_get0(i);
+
+ BIO_printf(bio_err, " %s\n",
X509_VERIFY_PARAM_get0_name(vptmp));
}
ret = 0;
case OPT_CAFILE:
CAfile = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
case OPT_UNTRUSTED:
/* Zero or more times */
if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL,
/* Zero or more times */
noCAfile = 1;
noCApath = 1;
+ noCAstore = 1;
if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL,
"trusted certificates"))
goto end;
}
argc = opt_num_rest();
argv = opt_rest();
- if (trusted != NULL && (CAfile || CApath)) {
+ if (trusted != NULL
+ && (CAfile != NULL || CApath != NULL || CAstore != NULL)) {
BIO_printf(bio_err,
- "%s: Cannot use -trusted with -CAfile or -CApath\n",
+ "%s: Cannot use -trusted with -CAfile, -CApath or -CAstore\n",
prog);
goto end;
}
- if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
+ if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore)) == NULL)
goto end;
X509_STORE_set_verify_cb(store, cb);
projects / openssl.git / blobdiff