- STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
- STACK_OF(X509_CRL) *crls, ENGINE *e)
- {
- X509 *x=NULL;
- int i=0,ret=0;
- X509_STORE_CTX *csc;
-
- x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
- if (x == NULL)
- goto end;
- fprintf(stdout,"%s: ",(file == NULL)?"stdin":file);
-
- csc = X509_STORE_CTX_new();
- if (csc == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
- X509_STORE_set_flags(ctx, vflags);
- if(!X509_STORE_CTX_init(csc,ctx,x,uchain))
- {
- ERR_print_errors(bio_err);
- goto end;
- }
- if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain);
- if (crls)
- X509_STORE_CTX_set0_crls(csc, crls);
- i=X509_verify_cert(csc);
- X509_STORE_CTX_free(csc);
-
- ret=0;
-end:
- if (i > 0)
- {
- fprintf(stdout,"OK\n");
- ret=1;
- }
- else
- ERR_print_errors(bio_err);
- if (x != NULL) X509_free(x);
-
- return(ret);
- }
-
-static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
- {
- int cert_error = X509_STORE_CTX_get_error(ctx);
- X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
-
- if (!ok)
- {
- if (current_cert)
- {
- X509_NAME_print_ex_fp(stdout,
- X509_get_subject_name(current_cert),
- 0, XN_FLAG_ONELINE);
- printf("\n");
- }
- printf("%serror %d at %d depth lookup:%s\n",
- X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
- cert_error,
- X509_STORE_CTX_get_error_depth(ctx),
- X509_verify_cert_error_string(cert_error));
- switch(cert_error)
- {
- case X509_V_ERR_NO_EXPLICIT_POLICY:
- policies_print(NULL, ctx);
- case X509_V_ERR_CERT_HAS_EXPIRED:
-
- /* since we are just checking the certificates, it is
- * ok if they are self signed. But we should still warn
- * the user.
- */
-
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- /* Continue after extension errors too */
- case X509_V_ERR_INVALID_CA:
- case X509_V_ERR_INVALID_NON_CA:
- case X509_V_ERR_PATH_LENGTH_EXCEEDED:
- case X509_V_ERR_INVALID_PURPOSE:
- case X509_V_ERR_CRL_HAS_EXPIRED:
- case X509_V_ERR_CRL_NOT_YET_VALID:
- case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
- ok = 1;
-
- }
-
- return ok;
-
- }
- if (cert_error == X509_V_OK && ok == 2)
- policies_print(NULL, ctx);
- if (!v_verbose)
- ERR_clear_error();
- return(ok);
- }
+ STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
+ STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain)
+{
+ X509 *x = NULL;
+ int i = 0, ret = 0;
+ X509_STORE_CTX *csc;
+ STACK_OF(X509) *chain = NULL;
+
+ x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
+ if (x == NULL)
+ goto end;
+ fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
+
+ csc = X509_STORE_CTX_new();
+ if (csc == NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ X509_STORE_set_flags(ctx, vflags);
+ if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (tchain)
+ X509_STORE_CTX_trusted_stack(csc, tchain);
+ if (crls)
+ X509_STORE_CTX_set0_crls(csc, crls);
+ i = X509_verify_cert(csc);
+ if (i > 0 && show_chain)
+ chain = X509_STORE_CTX_get1_chain(csc);
+ X509_STORE_CTX_free(csc);
+
+ ret = 0;
+ end:
+ if (i > 0) {
+ fprintf(stdout, "OK\n");
+ ret = 1;
+ } else
+ ERR_print_errors(bio_err);
+ if (chain) {
+ printf("Chain:\n");
+ for (i = 0; i < sk_X509_num(chain); i++) {
+ X509 *cert = sk_X509_value(chain, i);
+ printf("depth=%d: ", i);
+ X509_NAME_print_ex_fp(stdout,
+ X509_get_subject_name(cert),
+ 0, XN_FLAG_ONELINE);
+ printf("\n");
+ }
+ sk_X509_pop_free(chain, X509_free);
+ }
+ if (x != NULL)
+ X509_free(x);
+
+ return (ret);
+}
+
+static int cb(int ok, X509_STORE_CTX *ctx)
+{
+ int cert_error = X509_STORE_CTX_get_error(ctx);
+ X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
+
+ if (!ok) {
+ if (current_cert) {
+ X509_NAME_print_ex_fp(stdout,
+ X509_get_subject_name(current_cert),
+ 0, XN_FLAG_ONELINE);
+ printf("\n");
+ }
+ printf("%serror %d at %d depth lookup:%s\n",
+ X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
+ cert_error,
+ X509_STORE_CTX_get_error_depth(ctx),
+ X509_verify_cert_error_string(cert_error));
+ switch (cert_error) {
+ case X509_V_ERR_NO_EXPLICIT_POLICY:
+ policies_print(NULL, ctx);
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+
+ /*
+ * since we are just checking the certificates, it is ok if they
+ * are self signed. But we should still warn the user.
+ */
+
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ /* Continue after extension errors too */
+ case X509_V_ERR_INVALID_CA:
+ case X509_V_ERR_INVALID_NON_CA:
+ case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+ case X509_V_ERR_INVALID_PURPOSE:
+ case X509_V_ERR_CRL_HAS_EXPIRED:
+ case X509_V_ERR_CRL_NOT_YET_VALID:
+ case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
+ ok = 1;
+
+ }
+
+ return ok;
+
+ }
+ if (cert_error == X509_V_OK && ok == 2)
+ policies_print(NULL, ctx);
+ if (!v_verbose)
+ ERR_clear_error();
+ return (ok);
+}