Modify verify code to handle self signed certificates.

[openssl.git] / apps / verify.c

diff --git a/apps/verify.c b/apps/verify.c
index 809f4c43fa6b13f76ffdf4ad2a0e50cd0d21126b..840fda9561ab5f6a250e4fedbb24efd9772f6089 100644 (file)
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -1,5 +1,5 @@
 /* apps/verify.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
@@ -60,27 +60,19 @@
 #include <stdlib.h>
 #include <string.h>
 #include "apps.h"
-#include "bio.h"
-#include "err.h"
-#include "x509.h"
-#include "pem.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
 
 #undef PROG
 #define PROG   verify_main
 
-#ifndef NOPROTO
 static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
 static int check(X509_STORE *ctx,char *file);
-#else
-static int MS_CALLBACK cb();
-static int check();
-#endif
-
 static int v_verbose=0;
 
-int MAIN(argc, argv)
-int argc;
-char **argv;
+int MAIN(int argc, char **argv)
        {
        int i,ret=1;
        char *CApath=NULL,*CAfile=NULL;
@@ -97,7 +89,7 @@ char **argv;
 
        if (bio_err == NULL)
                if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-                       BIO_set_fp(bio_err,stderr,BIO_NOCLOSE);
+                       BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 
        argc--;
        argv++;
@@ -141,6 +133,7 @@ char **argv;
                X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
 
 
+       ERR_clear_error();
        if (argc < 1) check(cert_ctx,NULL);
        else
                for (i=0; i<argc; i++)
@@ -153,9 +146,7 @@ end:
        EXIT(ret);
        }
 
-static int check(ctx,file)
-X509_STORE *ctx;
-char *file;
+static int check(X509_STORE *ctx, char *file)
        {
        X509 *x=NULL;
        BIO *in=NULL;
@@ -180,7 +171,7 @@ char *file;
                        }
                }
 
-       x=PEM_read_bio_X509(in,NULL,NULL);
+       x=PEM_read_bio_X509(in,NULL,NULL,NULL);
        if (x == NULL)
                {
                fprintf(stdout,"%s: unable to load certificate file\n",
@@ -209,29 +200,24 @@ end:
        return(ret);
        }
 
-static int MS_CALLBACK cb(ok,ctx)
-int ok;
-X509_STORE_CTX *ctx;
+static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
        {
        char buf[256];
 
        if (!ok)
                {
-               /* since we are just checking the certificates, it is
-                * ok if they are self signed. */
-               if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
-                       ok=1;
-               else
-                       {
-                       X509_NAME_oneline(
+               X509_NAME_oneline(
                                X509_get_subject_name(ctx->current_cert),buf,256);
-                       printf("%s\n",buf);
-                       printf("error %d at %d depth lookup:%s\n",ctx->error,
-                               ctx->error_depth,
-                               X509_verify_cert_error_string(ctx->error));
-                       if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED)
-                               ok=1;
-                       }
+               printf("%s\n",buf);
+               printf("error %d at %d depth lookup:%s\n",ctx->error,
+                       ctx->error_depth,
+                       X509_verify_cert_error_string(ctx->error));
+               if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1;
+               /* since we are just checking the certificates, it is
+                * ok if they are self signed. But we should still warn
+                * the user.
+                */
+               if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
                }
        if (!v_verbose)
                ERR_clear_error();