7 int verify_callback(int ok, X509_STORE_CTX *ctx);
18 PKCS7_SIGNER_INFO *si;
19 PKCS7_ISSUER_AND_SERIAL *ias;
20 X509_STORE_CTX cert_ctx;
21 X509_STORE *cert_store=NULL;
22 X509_LOOKUP *lookup=NULL;
23 BIO *data,*detached=NULL,*p7bio=NULL;
29 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
30 EVP_add_digest(EVP_md2());
31 EVP_add_digest(EVP_md5());
32 EVP_add_digest(EVP_sha1());
33 EVP_add_digest(EVP_mdc2());
35 data=BIO_new(BIO_s_file());
42 if (strcmp(argv[0],"-p") == 0)
46 else if ((strcmp(argv[0],"-d") == 0) && (argc >= 2))
48 detached=BIO_new(BIO_s_file());
49 if (!BIO_read_filename(detached,argv[1]))
57 if (!BIO_read_filename(data,argv[0]))
63 BIO_set_fp(data,stdin,BIO_NOCLOSE);
66 /* Load the PKCS7 object from a file */
67 if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL)) == NULL) goto err;
69 /* This stuff is being setup for certificate verification.
70 * When using SSL, it could be replaced with a
71 * cert_stre=SSL_CTX_get_cert_store(ssl_ctx); */
72 cert_store=X509_STORE_new();
73 X509_STORE_set_default_paths(cert_store);
74 X509_STORE_load_locations(cert_store,NULL,"../../certs");
75 X509_STORE_set_verify_cb_func(cert_store,verify_callback);
79 /* We need to process the data */
80 if (PKCS7_get_detached(p7))
84 printf("no data to verify the signature on\n");
88 p7bio=PKCS7_dataInit(p7,detached);
92 p7bio=PKCS7_dataInit(p7,NULL);
95 /* We now have to 'read' from p7bio to calculate digests etc. */
98 i=BIO_read(p7bio,buf,sizeof(buf));
103 /* We can now verify signatures */
104 sk=PKCS7_get_signer_info(p7);
107 printf("there are no signatures on this data\n");
111 /* Ok, first we need to, for each subject entry, see if we can verify */
112 for (i=0; i<sk_num(sk); i++)
114 si=(PKCS7_SIGNER_INFO *)sk_value(sk,i);
115 i=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si);
120 X509_STORE_free(cert_store);
125 ERR_load_crypto_strings();
126 ERR_print_errors_fp(stderr);
130 /* should be X509 * but we can just have them as char *. */
131 int verify_callback(ok, ctx)
139 err_cert=X509_STORE_CTX_get_current_cert(ctx);
140 err= X509_STORE_CTX_get_error(ctx);
141 depth= X509_STORE_CTX_get_error_depth(ctx);
143 X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
144 BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
147 BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
148 X509_verify_cert_error_string(err));
152 X509_STORE_CTX_set_error(ctx,X509_V_OK);
157 X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG);
162 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
163 X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
164 BIO_printf(bio_err,"issuer= %s\n",buf);
166 case X509_V_ERR_CERT_NOT_YET_VALID:
167 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
168 BIO_printf(bio_err,"notBefore=");
169 ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
170 BIO_printf(bio_err,"\n");
172 case X509_V_ERR_CERT_HAS_EXPIRED:
173 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
174 BIO_printf(bio_err,"notAfter=");
175 ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
176 BIO_printf(bio_err,"\n");
179 BIO_printf(bio_err,"verify return:%d\n",ok);
projects / openssl.git / blob