Add support for policy checking in verify utility.
}
#endif
-int args_verify(char ***pargs, int *badarg, BIO *err, X509_VERIFY_PARAM **pm)
+int args_verify(char ***pargs, int *pargc,
+ int *badarg, BIO *err, X509_VERIFY_PARAM **pm)
{
ASN1_OBJECT *otmp = NULL;
unsigned long flags = 0;
+ int i;
+ int purpose = 0;
+ char **oldargs = *pargs;
char *arg = **pargs, *argn = (*pargs)[1];
if (!strcmp(arg, "-policy"))
{
}
(*pargs)++;
}
+ else if (strcmp(arg,"-purpose") == 0)
+ {
+ X509_PURPOSE *xptmp;
+ if (!argn)
+ *badarg = 1;
+ else
+ {
+ i = X509_PURPOSE_get_by_sname(argn);
+ if(i < 0)
+ {
+ BIO_printf(err, "unrecognized purpose\n");
+ *badarg = 1;
+ }
+ else
+ {
+ xptmp = X509_PURPOSE_get0(i);
+ purpose = X509_PURPOSE_get_id(xptmp);
+ }
+ }
+ (*pargs)++;
+ }
else if (!strcmp(arg, "-ignore_critical"))
flags |= X509_V_FLAG_IGNORE_CRITICAL;
else if (!strcmp(arg, "-issuer_checks"))
if (*pm)
X509_VERIFY_PARAM_free(*pm);
*pm = NULL;
- return 1;
+ goto end;
}
if (!*pm && !(*pm = X509_VERIFY_PARAM_new()))
{
*badarg = 1;
- return 1;
+ goto end;
}
if (otmp)
if (flags)
X509_VERIFY_PARAM_set_flags(*pm, flags);
+ if (purpose)
+ X509_VERIFY_PARAM_set_purpose(*pm, purpose);
+
+ end:
+
(*pargs)++;
+ if (pargc)
+ *pargc -= *pargs - oldargs;
+
return 1;
}
+
+static void nodes_print(BIO *out, char *name, STACK_OF(X509_POLICY_NODE) *nodes)
+ {
+ X509_POLICY_NODE *node;
+ int i;
+ BIO_printf(out, "%s Policies:", name);
+ if (nodes)
+ {
+ BIO_puts(out, "\n");
+ for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++)
+ {
+ node = sk_X509_POLICY_NODE_value(nodes, i);
+ X509_POLICY_NODE_print(out, node, 2);
+ }
+ }
+ else
+ BIO_puts(out, " <empty>\n");
+ }
+
+void policies_print(BIO *out, X509_STORE_CTX *ctx)
+ {
+ X509_POLICY_TREE *tree;
+ int explicit_policy;
+ int free_out = 0;
+ if (out == NULL)
+ {
+ out = BIO_new_fp(stderr, BIO_NOCLOSE);
+ free_out = 1;
+ }
+ tree = X509_STORE_CTX_get0_policy_tree(ctx);
+ explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
+
+ BIO_printf(out, "Require explicit Policy: %s\n",
+ explicit_policy ? "True" : "False");
+
+ nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
+ nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
+ if (free_out)
+ BIO_free(out);
+ }
int parse_yesno(char *str, int def);
X509_NAME *parse_name(char *str, long chtype, int multirdn);
-int args_verify(char ***pargs, int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
+int args_verify(char ***pargs, int *pargc,
+ int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
+void policies_print(BIO *out, X509_STORE_CTX *ctx);
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
else
badarg = 1;
}
- else if (args_verify(&args, &badarg, bio_err, &vpm))
+ else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
continue;
else
badarg = 1;
}
-static void nodes_print(BIO *out, char *name, STACK_OF(X509_POLICY_NODE) *nodes)
- {
- X509_POLICY_NODE *node;
- int i;
- BIO_printf(out, "%s Policies:", name);
- if (nodes)
- {
- BIO_puts(out, "\n");
- for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++)
- {
- node = sk_X509_POLICY_NODE_value(nodes, i);
- X509_POLICY_NODE_print(out, node, 2);
- }
- }
- else
- BIO_puts(out, " <empty>\n");
- }
-
-static void policies_print(BIO *out, X509_STORE_CTX *ctx)
- {
- X509_POLICY_TREE *tree;
- int explicit_policy;
- tree = X509_STORE_CTX_get0_policy_tree(ctx);
- explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
-
- BIO_printf(out, "Require explicit Policy: %s\n",
- explicit_policy ? "True" : "False");
-
- nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
- nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
- }
-
/* Minimal callback just to output policy info (if any) */
static int smime_cb(int ok, X509_STORE_CTX *ctx)
{
- BIO *out;
int error;
error = X509_STORE_CTX_get_error(ctx);
&& ((error != X509_V_OK) || (ok != 2)))
return ok;
- out = BIO_new_fp(stderr, BIO_NOCLOSE);
-
- policies_print(out, ctx);
-
- BIO_free(out);
+ policies_print(NULL, ctx);
return ok;
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
- int i,ret=1;
+ int i,ret=1, badarg = 0;
int purpose = -1;
char *CApath=NULL,*CAfile=NULL;
char *untfile = NULL, *trustfile = NULL;
STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
X509_STORE *cert_ctx=NULL;
X509_LOOKUP *lookup=NULL;
+ X509_VERIFY_PARAM *vpm = NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
if (argc-- < 1) goto end;
CAfile= *(++argv);
}
- else if (strcmp(*argv,"-purpose") == 0)
+ else if (args_verify(&argv, &argc, &badarg, bio_err,
+ &vpm))
{
- X509_PURPOSE *xptmp;
- if (argc-- < 1) goto end;
- i = X509_PURPOSE_get_by_sname(*(++argv));
- if(i < 0)
- {
- BIO_printf(bio_err, "unrecognized purpose\n");
+ if (badarg)
goto end;
- }
- xptmp = X509_PURPOSE_get0(i);
- purpose = X509_PURPOSE_get_id(xptmp);
+ continue;
}
else if (strcmp(*argv,"-untrusted") == 0)
{
#endif
else if (strcmp(*argv,"-help") == 0)
goto end;
- else if (strcmp(*argv,"-ignore_critical") == 0)
- vflags |= X509_V_FLAG_IGNORE_CRITICAL;
- else if (strcmp(*argv,"-issuer_checks") == 0)
- vflags |= X509_V_FLAG_CB_ISSUER_CHECK;
- else if (strcmp(*argv,"-crl_check") == 0)
- vflags |= X509_V_FLAG_CRL_CHECK;
- else if (strcmp(*argv,"-crl_check_all") == 0)
- vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
else if (strcmp(*argv,"-verbose") == 0)
v_verbose=1;
else if (argv[0][0] == '-')
e = setup_engine(bio_err, engine, 0);
#endif
+ if (vpm)
+ X509_STORE_set1_param(cert_ctx, vpm);
+
lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
if (lookup == NULL) abort();
if (CAfile) {
X509_PURPOSE_get0_name(ptmp));
}
}
+ if (vpm) X509_VERIFY_PARAM_free(vpm);
if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
sk_X509_pop_free(untrusted, X509_free);
sk_X509_pop_free(trusted, X509_free);
if (!ok)
{
- X509_NAME_oneline(
+ if (ctx->current_cert)
+ {
+ X509_NAME_oneline(
X509_get_subject_name(ctx->current_cert),buf,
sizeof buf);
- printf("%s\n",buf);
+ printf("%s\n",buf);
+ }
printf("error %d at %d depth lookup:%s\n",ctx->error,
ctx->error_depth,
X509_verify_cert_error_string(ctx->error));
if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1;
if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1;
if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1;
+
+ if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY)
+ policies_print(NULL, ctx);
+ return ok;
+
}
+ if ((ctx->error == X509_V_OK) && (ok == 2))
+ policies_print(NULL, ctx);
if (!v_verbose)
ERR_clear_error();
return(ok);
projects / openssl.git / commitdiff