X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fverify.c;h=abb6ab30b0aeb11604618dcbb956e7a807032527;hp=e580acee8561d493cdfc1c90da283134ac724391;hb=7fd5df6b12321054bde3c9de73be71d7917e19da;hpb=dd4134101fb41261b20fe47fdf9068c84e923102 diff --git a/apps/verify.c b/apps/verify.c index e580acee85..abb6ab30b0 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -70,23 +70,34 @@ #define PROG verify_main static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx); -static int check(X509_STORE *ctx,char *file, STACK_OF(X509)*other, int purpose); -static STACK_OF(X509) *load_untrusted(char *file); -static int v_verbose=0; +static int check(X509_STORE *ctx, char *file, + STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, + STACK_OF(X509_CRL) *crls, ENGINE *e, time_t at_time); +static int v_verbose=0, vflags = 0; + +int MAIN(int, char **); int MAIN(int argc, char **argv) { - int i,ret=1; - int purpose = -1; + ENGINE *e = NULL; + int i,ret=1, badarg = 0; char *CApath=NULL,*CAfile=NULL; - char *untfile = NULL; - STACK_OF(X509) *untrusted = NULL; + char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; + char *checktime_string = NULL; + long int timestamp; + time_t t = 0; + STACK_OF(X509) *untrusted = NULL, *trusted = NULL; + STACK_OF(X509_CRL) *crls = NULL; X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; + X509_VERIFY_PARAM *vpm = NULL; +#ifndef OPENSSL_NO_ENGINE + char *engine=NULL; +#endif cert_ctx=X509_STORE_new(); if (cert_ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(cert_ctx,cb); + X509_STORE_set_verify_cb(cert_ctx,cb); ERR_load_crypto_strings(); @@ -96,6 +107,9 @@ int MAIN(int argc, char **argv) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + if (!load_config(bio_err, NULL)) + goto end; + argc--; argv++; for (;;) @@ -112,24 +126,40 @@ int MAIN(int argc, char **argv) if (argc-- < 1) goto end; CAfile= *(++argv); } - else if (strcmp(*argv,"-purpose") == 0) + else if (args_verify(&argv, &argc, &badarg, bio_err, + &vpm)) { - X509_PURPOSE *xptmp; - if (argc-- < 1) goto end; - i = X509_PURPOSE_get_by_sname(*(++argv)); - if(i < 0) - { - BIO_printf(bio_err, "unrecognised purpose\n"); + if (badarg) goto end; - } - xptmp = X509_PURPOSE_iget(i); - purpose = X509_PURPOSE_get_id(xptmp); + continue; } else if (strcmp(*argv,"-untrusted") == 0) { if (argc-- < 1) goto end; untfile= *(++argv); } + else if (strcmp(*argv,"-trusted") == 0) + { + if (argc-- < 1) goto end; + trustfile= *(++argv); + } + else if (strcmp(*argv,"-CRLfile") == 0) + { + if (argc-- < 1) goto end; + crlfile= *(++argv); + } + else if (strcmp(*argv,"-attime") == 0) + { + if (argc-- < 1) goto end; + checktime_string= *(++argv); + } +#ifndef OPENSSL_NO_ENGINE + else if (strcmp(*argv,"-engine") == 0) + { + if (--argc < 1) goto end; + engine= *(++argv); + } +#endif else if (strcmp(*argv,"-help") == 0) goto end; else if (strcmp(*argv,"-verbose") == 0) @@ -145,6 +175,13 @@ int MAIN(int argc, char **argv) break; } +#ifndef OPENSSL_NO_ENGINE + e = setup_engine(bio_err, engine, 0); +#endif + + if (vpm) + X509_STORE_set1_param(cert_ctx, vpm); + lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()); if (lookup == NULL) abort(); if (CAfile) { @@ -169,68 +206,97 @@ int MAIN(int argc, char **argv) ERR_clear_error(); - if(untfile) { - if(!(untrusted = load_untrusted(untfile))) { - BIO_printf(bio_err, "Error loading untrusted file %s\n", untfile); + if(untfile) + { + untrusted = load_certs(bio_err, untfile, FORMAT_PEM, + NULL, e, "untrusted certificates"); + if(!untrusted) + goto end; + } + + if(trustfile) + { + trusted = load_certs(bio_err, trustfile, FORMAT_PEM, + NULL, e, "trusted certificates"); + if(!trusted) + goto end; + } + + if(crlfile) + { + crls = load_crls(bio_err, crlfile, FORMAT_PEM, + NULL, e, "other CRLs"); + if(!crls) + goto end; + } + + if(checktime_string) + { + /* interpret the -attime argument as seconds since Epoch */ + if (sscanf(checktime_string, "%li", ×tamp) != 1) + { + BIO_printf(bio_err, "Error parsing timestamp %s\n", + checktime_string); ERR_print_errors(bio_err); goto end; + } + t = (time_t) timestamp; /* on some platforms time_t may be a float */ } - } - if (argc < 1) check(cert_ctx, NULL, untrusted, purpose); + if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e, t); else for (i=0; i= 0) X509_STORE_CTX_set_purpose(csc, purpose); + X509_STORE_set_flags(ctx, vflags); + if(!X509_STORE_CTX_init(csc,ctx,x,uchain)) + { + ERR_print_errors(bio_err); + goto end; + } + if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain); + if (crls) + X509_STORE_CTX_set0_crls(csc, crls); + if (at_time) + X509_STORE_CTX_set_time(csc, 0, at_time); + i=X509_verify_cert(csc); X509_STORE_CTX_free(csc); ret=0; end: - if (i) + if (i > 0) { fprintf(stdout,"OK\n"); ret=1; @@ -254,83 +330,59 @@ end: else ERR_print_errors(bio_err); if (x != NULL) X509_free(x); - if (in != NULL) BIO_free(in); return(ret); } -static STACK_OF(X509) *load_untrusted(char *certfile) -{ - STACK_OF(X509_INFO) *sk=NULL; - STACK_OF(X509) *stack=NULL, *ret=NULL; - BIO *in=NULL; - X509_INFO *xi; +static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) + { + int cert_error = X509_STORE_CTX_get_error(ctx); + X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); - if(!(stack = sk_X509_new_null())) { - BIO_printf(bio_err,"memory allocation failure\n"); - goto end; - } + if (!ok) + { + if (current_cert) + { + X509_NAME_print_ex_fp(stdout, + X509_get_subject_name(current_cert), + 0, XN_FLAG_ONELINE); + printf("\n"); + } + printf("%serror %d at %d depth lookup:%s\n", + X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "", + cert_error, + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(cert_error)); + switch(cert_error) + { + case X509_V_ERR_NO_EXPLICIT_POLICY: + policies_print(NULL, ctx); + case X509_V_ERR_CERT_HAS_EXPIRED: - if(!(in=BIO_new_file(certfile, "r"))) { - BIO_printf(bio_err,"error opening the file, %s\n",certfile); - goto end; - } + /* since we are just checking the certificates, it is + * ok if they are self signed. But we should still warn + * the user. + */ - /* This loads from a file, a stack of x509/crl/pkey sets */ - if(!(sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL))) { - BIO_printf(bio_err,"error reading the file, %s\n",certfile); - goto end; - } + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + /* Continue after extension errors too */ + case X509_V_ERR_INVALID_CA: + case X509_V_ERR_INVALID_NON_CA: + case X509_V_ERR_PATH_LENGTH_EXCEEDED: + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_CRL_HAS_EXPIRED: + case X509_V_ERR_CRL_NOT_YET_VALID: + case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: + ok = 1; - /* scan over it and pull out the certs */ - while (sk_X509_INFO_num(sk)) - { - xi=sk_X509_INFO_shift(sk); - if (xi->x509 != NULL) - { - sk_X509_push(stack,xi->x509); - xi->x509=NULL; } - X509_INFO_free(xi); - } - if(!sk_X509_num(stack)) { - BIO_printf(bio_err,"no certificates in file, %s\n",certfile); - sk_X509_free(stack); - goto end; - } - ret=stack; -end: - BIO_free(in); - sk_X509_INFO_free(sk); - return(ret); - } -static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) - { - char buf[256]; + return ok; - if (!ok) - { - X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert),buf,256); - printf("%s\n",buf); - printf("error %d at %d depth lookup:%s\n",ctx->error, - ctx->error_depth, - X509_verify_cert_error_string(ctx->error)); - if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1; - /* since we are just checking the certificates, it is - * ok if they are self signed. But we should still warn - * the user. - */ - if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; - /* Continue after extension errors too */ - if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; - if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; - if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; - if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; } + if (cert_error == X509_V_OK && ok == 2) + policies_print(NULL, ctx); if (!v_verbose) ERR_clear_error(); return(ok); } -