New -valid option to add a certificate to the ca index.txt that is valid and not...

[openssl.git] / apps / apps.c

diff --git a/apps/apps.c b/apps/apps.c
index 22ef53a9e8c1c41431b3ddbd1330547c646bfb65..24a493e0eb1bed7c41f5c799dfcf5dd5d31c4f01 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -109,7 +109,7 @@
  *
  */
 
-#ifndef _POSIX_C_SOURCE
+#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
 #define _POSIX_C_SOURCE 2      /* On VMS, you need to define this to get
                                   the declaration of fileno().  The value
                                   2 is to make sure no function defined
@@ -1215,7 +1215,8 @@ STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *desc)
        {
        STACK_OF(X509) *certs;
-       load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
+       if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
+               return NULL;
        return certs;
        }       
 
@@ -1223,7 +1224,8 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *desc)
        {
        STACK_OF(X509_CRL) *crls;
-       load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
+       if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
+               return NULL;
        return crls;
        }       
 
@@ -2130,7 +2132,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
        X509_NAME *n = NULL;
        int nid;
 
-       if (!buf || !ne_types || !ne_values)
+       if (!buf || !ne_types || !ne_values || !mval)
                {
                BIO_printf(bio_err, "malloc error\n");
                goto error;
@@ -2234,6 +2236,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
        OPENSSL_free(ne_values);
        OPENSSL_free(ne_types);
        OPENSSL_free(buf);
+       OPENSSL_free(mval);
        return n;
 
 error:
@@ -2242,6 +2245,8 @@ error:
                OPENSSL_free(ne_values);
        if (ne_types)
                OPENSSL_free(ne_types);
+       if (mval)
+               OPENSSL_free(mval);
        if (buf)
                OPENSSL_free(buf);
        return NULL;
@@ -2257,6 +2262,8 @@ int args_verify(char ***pargs, int *pargc,
        char **oldargs = *pargs;
        char *arg = **pargs, *argn = (*pargs)[1];
        time_t at_time = 0;
+       const unsigned char *hostname = NULL, *email = NULL;
+       char *ipasc = NULL;
        if (!strcmp(arg, "-policy"))
                {
                if (!argn)
@@ -2330,6 +2337,27 @@ int args_verify(char ***pargs, int *pargc,
                        }
                (*pargs)++;
                }
+       else if (strcmp(arg,"-verify_hostname") == 0)
+               {
+               if (!argn)
+                       *badarg = 1;
+               hostname = (unsigned char *)argn;
+               (*pargs)++;
+               }
+       else if (strcmp(arg,"-verify_email") == 0)
+               {
+               if (!argn)
+                       *badarg = 1;
+               email = (unsigned char *)argn;
+               (*pargs)++;
+               }
+       else if (strcmp(arg,"-verify_ip") == 0)
+               {
+               if (!argn)
+                       *badarg = 1;
+               ipasc = argn;
+               (*pargs)++;
+               }
        else if (!strcmp(arg, "-ignore_critical"))
                flags |= X509_V_FLAG_IGNORE_CRITICAL;
        else if (!strcmp(arg, "-issuer_checks"))
@@ -2356,6 +2384,10 @@ int args_verify(char ***pargs, int *pargc,
                flags |= X509_V_FLAG_NOTIFY_POLICY;
        else if (!strcmp(arg, "-check_ss_sig"))
                flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+       else if (!strcmp(arg, "-trusted_first"))
+               flags |= X509_V_FLAG_TRUSTED_FIRST;
+       else if (!strcmp(arg, "-partial_chain"))
+               flags |= X509_V_FLAG_PARTIAL_CHAIN;
        else
                return 0;
 
@@ -2387,6 +2419,15 @@ int args_verify(char ***pargs, int *pargc,
        if (at_time) 
                X509_VERIFY_PARAM_set_time(*pm, at_time);
 
+       if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))
+               *badarg = 1;
+
+       if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))
+               *badarg = 1;
+
+       if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))
+               *badarg = 1;
+
        end:
 
        (*pargs)++;
@@ -2762,6 +2803,35 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
        }
 #endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
 
+void print_cert_checks(BIO *bio, X509 *x,
+                               const unsigned char *checkhost,
+                               const unsigned char *checkemail,
+                               const char *checkip)
+       {
+       if (x == NULL)
+               return;
+       if (checkhost)
+               {
+               BIO_printf(bio, "Hostname %s does%s match certificate\n",
+                               checkhost, X509_check_host(x, checkhost, 0, 0)
+                                               ? "" : " NOT");
+               }
+
+       if (checkemail)
+               {
+               BIO_printf(bio, "Email %s does%s match certificate\n",
+                               checkemail, X509_check_email(x, checkemail, 0,
+                                               0) ? "" : " NOT");
+               }
+
+       if (checkip)
+               {
+               BIO_printf(bio, "IP %s does%s match certificate\n",
+                               checkip, X509_check_ip_asc(x, checkip,
+                                               0) ? "" : " NOT");
+               }
+       }
+
 /*
  * Platform-specific sections
  */