X509_VERIFY_PARAM *vpm = NULL;
char *prog, *CApath = NULL, *CAfile = NULL;
int noCApath = 0, noCAfile = 0;
- char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
OPTION_CHOICE o;
noCAfile = 1;
break;
case OPT_UNTRUSTED:
- untfile = opt_arg();
+ /* Zero or more times */
+ if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL, e,
+ "untrusted certificates"))
+ goto end;
break;
case OPT_TRUSTED:
- trustfile = opt_arg();
+ /* Zero or more times */
+ noCAfile = 1;
+ noCApath = 1;
+ if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL, e,
+ "trusted certificates"))
+ goto end;
break;
case OPT_CRLFILE:
- crlfile = opt_arg();
+ /* Zero or more times */
+ if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL, e,
+ "other CRLs"))
+ goto end;
break;
case OPT_CRL_DOWNLOAD:
crl_download = 1;
show_chain = 1;
break;
case OPT_ENGINE:
+ /* Specify *before* -trusted/-untrusted/-CRLfile */
e = setup_engine(opt_arg(), 0);
break;
case OPT_VERBOSE:
}
argc = opt_num_rest();
argv = opt_rest();
- if (trustfile && (CAfile || CApath)) {
+ if (trusted != NULL && (CAfile || CApath)) {
BIO_printf(bio_err,
"%s: Cannot use -trusted with -CAfile or -CApath\n",
prog);
goto end;
}
- if (!app_load_modules(NULL))
- goto end;
-
if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
goto end;
X509_STORE_set_verify_cb(store, cb);
ERR_clear_error();
- if (untfile) {
- untrusted = load_certs(untfile, FORMAT_PEM,
- NULL, e, "untrusted certificates");
- if (!untrusted)
- goto end;
- }
-
- if (trustfile) {
- trusted = load_certs(trustfile, FORMAT_PEM,
- NULL, e, "trusted certificates");
- if (!trusted)
- goto end;
- }
-
- if (crlfile) {
- crls = load_crls(crlfile, FORMAT_PEM, NULL, e, "other CRLs");
- if (!crls)
- goto end;
- }
-
if (crl_download)
store_setup_crl_download(store);
x = load_cert(file, FORMAT_PEM, NULL, e, "certificate file");
if (x == NULL)
goto end;
- printf("%s: ", (file == NULL) ? "stdin" : file);
csc = X509_STORE_CTX_new();
if (csc == NULL) {
- ERR_print_errors(bio_err);
+ printf("error %s: X.509 store context allocation failed\n",
+ (file == NULL) ? "stdin" : file);
goto end;
}
X509_STORE_set_flags(ctx, vflags);
if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
- ERR_print_errors(bio_err);
+ printf("error %s: X.509 store context initialization failed\n",
+ (file == NULL) ? "stdin" : file);
goto end;
}
if (tchain)
if (crls)
X509_STORE_CTX_set0_crls(csc, crls);
i = X509_verify_cert(csc);
- if (i > 0) {
- printf("OK\n");
+ if (i > 0 && X509_STORE_CTX_get_error(csc) == X509_V_OK) {
+ printf("%s: OK\n", (file == NULL) ? "stdin" : file);
ret = 1;
- if (show_chain) {
- int j;
+ if (show_chain) {
+ int j;
- chain = X509_STORE_CTX_get1_chain(csc);
- num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);
- printf("Chain:\n");
- for (j = 0; j < sk_X509_num(chain); j++) {
- X509 *cert = sk_X509_value(chain, j);
- printf("depth=%d: ", j);
- X509_NAME_print_ex_fp(stdout,
- X509_get_subject_name(cert),
- 0, XN_FLAG_ONELINE);
- if (j < num_untrusted)
- printf(" (untrusted)");
- printf("\n");
- }
- sk_X509_pop_free(chain, X509_free);
- }
+ chain = X509_STORE_CTX_get1_chain(csc);
+ num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);
+ printf("Chain:\n");
+ for (j = 0; j < sk_X509_num(chain); j++) {
+ X509 *cert = sk_X509_value(chain, j);
+ printf("depth=%d: ", j);
+ X509_NAME_print_ex_fp(stdout,
+ X509_get_subject_name(cert),
+ 0, XN_FLAG_ONELINE);
+ if (j < num_untrusted)
+ printf(" (untrusted)");
+ printf("\n");
+ }
+ sk_X509_pop_free(chain, X509_free);
+ }
+ } else {
+ printf("error %s: verification failed\n", (file == NULL) ? "stdin" : file);
}
X509_STORE_CTX_free(csc);
end:
if (i <= 0)
- ERR_print_errors(bio_err);
+ ERR_print_errors(bio_err);
X509_free(x);
return ret;
0, XN_FLAG_ONELINE);
BIO_printf(bio_err, "\n");
}
- BIO_printf(bio_err, "%serror %d at %d depth lookup:%s\n",
- X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
+ BIO_printf(bio_err, "%serror %d at %d depth lookup: %s\n",
+ X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "",
cert_error,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(cert_error));