X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fverify.c;h=20cc9e354cd3c1934d4c4036c1ad68f8fc4e453f;hp=6a93c018b8ce0d065d605f4f7bfda46bb44f16a6;hb=bab534057b855a7dbf98261d494897b3542bd9d5;hpb=0b13e9f055d3f7be066dc2e89fc9f9822b12eca7 diff --git a/apps/verify.c b/apps/verify.c index 6a93c018b8..20cc9e354c 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -79,13 +79,14 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { ENGINE *e = NULL; - int i,ret=1; + int i,ret=1, badarg = 0; int purpose = -1; char *CApath=NULL,*CAfile=NULL; char *untfile = NULL, *trustfile = NULL; STACK_OF(X509) *untrusted = NULL, *trusted = NULL; X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; + X509_VERIFY_PARAM *vpm = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif @@ -121,18 +122,12 @@ int MAIN(int argc, char **argv) if (argc-- < 1) goto end; CAfile= *(++argv); } - else if (strcmp(*argv,"-purpose") == 0) + else if (args_verify(&argv, &argc, &badarg, bio_err, + &vpm)) { - X509_PURPOSE *xptmp; - if (argc-- < 1) goto end; - i = X509_PURPOSE_get_by_sname(*(++argv)); - if(i < 0) - { - BIO_printf(bio_err, "unrecognized purpose\n"); + if (badarg) goto end; - } - xptmp = X509_PURPOSE_get0(i); - purpose = X509_PURPOSE_get_id(xptmp); + continue; } else if (strcmp(*argv,"-untrusted") == 0) { @@ -153,14 +148,6 @@ int MAIN(int argc, char **argv) #endif else if (strcmp(*argv,"-help") == 0) goto end; - else if (strcmp(*argv,"-ignore_critical") == 0) - vflags |= X509_V_FLAG_IGNORE_CRITICAL; - else if (strcmp(*argv,"-issuer_checks") == 0) - vflags |= X509_V_FLAG_CB_ISSUER_CHECK; - else if (strcmp(*argv,"-crl_check") == 0) - vflags |= X509_V_FLAG_CRL_CHECK; - else if (strcmp(*argv,"-crl_check_all") == 0) - vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; else if (strcmp(*argv,"-verbose") == 0) v_verbose=1; else if (argv[0][0] == '-') @@ -178,6 +165,9 @@ int MAIN(int argc, char **argv) e = setup_engine(bio_err, engine, 0); #endif + if (vpm) + X509_STORE_set1_param(cert_ctx, vpm); + lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()); if (lookup == NULL) abort(); if (CAfile) { @@ -238,6 +228,7 @@ end: X509_PURPOSE_get0_name(ptmp)); } } + if (vpm) X509_VERIFY_PARAM_free(vpm); if (cert_ctx != NULL) X509_STORE_free(cert_ctx); sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); @@ -275,7 +266,7 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X ret=0; end: - if (i) + if (i > 0) { fprintf(stdout,"OK\n"); ret=1; @@ -339,10 +330,13 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (!ok) { - X509_NAME_oneline( + if (ctx->current_cert) + { + X509_NAME_oneline( X509_get_subject_name(ctx->current_cert),buf, sizeof buf); - printf("%s\n",buf); + printf("%s\n",buf); + } printf("error %d at %d depth lookup:%s\n",ctx->error, ctx->error_depth, X509_verify_cert_error_string(ctx->error)); @@ -354,15 +348,22 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; /* Continue after extension errors too */ if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; + if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1; if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1; if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1; if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; + + if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY) + policies_print(NULL, ctx); + return ok; + } + if ((ctx->error == X509_V_OK) && (ok == 2)) + policies_print(NULL, ctx); if (!v_verbose) ERR_clear_error(); return(ok); } -