From ad39b31c1ce0323d6f6ec44842d955f9f2556adf Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 17 Feb 2017 02:06:47 +0300 Subject: [PATCH] Added '-nameopt' option to the verify command. It makes possible to print the certificate's DN correctly in case of verification errors. Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2656) --- apps/verify.c | 17 ++++++++++++++--- doc/man1/verify.pod | 8 ++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/apps/verify.c b/apps/verify.c index bd8349a508..a4eb465739 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -22,12 +22,13 @@ static int check(X509_STORE *ctx, const char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls, int show_chain); static int v_verbose = 0, vflags = 0; +static unsigned long nmflag = 0; typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, - OPT_V_ENUM, + OPT_V_ENUM, OPT_NAMEOPT, OPT_VERBOSE } OPTION_CHOICE; @@ -51,6 +52,7 @@ const OPTIONS verify_options[] = { "Attempt to download CRL information for this certificate"}, {"show_chain", OPT_SHOW_CHAIN, '-', "Display information about the certificate chain"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, OPT_V_OPTIONS, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, @@ -68,6 +70,7 @@ int verify_main(int argc, char **argv) const char *prog, *CApath = NULL, *CAfile = NULL; int noCApath = 0, noCAfile = 0; int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1; + char nmflag_set = 0; OPTION_CHOICE o; if ((vpm = X509_VERIFY_PARAM_new()) == NULL) @@ -149,6 +152,11 @@ int verify_main(int argc, char **argv) case OPT_SHOW_CHAIN: show_chain = 1; break; + case OPT_NAMEOPT: + nmflag_set = 1; + if (!set_name_ex(&nmflag, opt_arg())) + goto end; + break; case OPT_VERBOSE: v_verbose = 1; break; @@ -163,6 +171,9 @@ int verify_main(int argc, char **argv) goto end; } + if (!nmflag_set) + nmflag = XN_FLAG_ONELINE; + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) goto end; X509_STORE_set_verify_cb(store, cb); @@ -242,7 +253,7 @@ static int check(X509_STORE *ctx, const char *file, printf("depth=%d: ", j); X509_NAME_print_ex_fp(stdout, X509_get_subject_name(cert), - 0, XN_FLAG_ONELINE); + 0, nmflag); if (j < num_untrusted) printf(" (untrusted)"); printf("\n"); @@ -271,7 +282,7 @@ static int cb(int ok, X509_STORE_CTX *ctx) if (current_cert) { X509_NAME_print_ex(bio_err, X509_get_subject_name(current_cert), - 0, XN_FLAG_ONELINE); + 0, nmflag); BIO_printf(bio_err, "\n"); } BIO_printf(bio_err, "%serror %d at %d depth lookup: %s\n", diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod index 8ba5ff67e4..36050ece69 100644 --- a/doc/man1/verify.pod +++ b/doc/man1/verify.pod @@ -25,6 +25,7 @@ B B [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] +[B<-nameopt option>] [B<-no_check_time>] [B<-partial_chain>] [B<-policy arg>] @@ -151,6 +152,13 @@ Set policy variable inhibit-any-policy (see RFC5280). Set policy variable inhibit-policy-mapping (see RFC5280). +=item B<-nameopt option> + +option which determines how the subject or issuer names are displayed. The +B