Tree - source-git/openssl - CentOS Git server

source-git / openssl

Blame apps/verify.c

Blob History Raw

Packit	c4476c	`/*`
Packit	c4476c	`* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.`
Packit	c4476c	`*`
Packit	c4476c	`* Licensed under the OpenSSL license (the "License"). You may not use`
Packit	c4476c	`* this file except in compliance with the License. You can obtain a copy`
Packit	c4476c	`* in the file LICENSE in the source distribution or at`
Packit	c4476c	`* https://www.openssl.org/source/license.html`
Packit	c4476c	`*/`
Packit	c4476c
Packit	c4476c	`#include <stdio.h>`
Packit	c4476c	`#include <stdlib.h>`
Packit	c4476c	`#include <string.h>`
Packit	c4476c	`#include "apps.h"`
Packit	c4476c	`#include "progs.h"`
Packit	c4476c	`#include <openssl/bio.h>`
Packit	c4476c	`#include <openssl/err.h>`
Packit	c4476c	`#include <openssl/x509.h>`
Packit	c4476c	`#include <openssl/x509v3.h>`
Packit	c4476c	`#include <openssl/pem.h>`
Packit	c4476c
Packit	c4476c	`static int cb(int ok, X509_STORE_CTX *ctx);`
Packit	c4476c	`static int check(X509_STORE ctx, const char file,`
Packit	c4476c	`STACK_OF(X509) uchain, STACK_OF(X509) tchain,`
Packit	c4476c	`STACK_OF(X509_CRL) *crls, int show_chain);`
Packit	c4476c	`static int v_verbose = 0, vflags = 0;`
Packit	c4476c
Packit	c4476c	`typedef enum OPTION_choice {`
Packit	c4476c	`OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,`
Packit	c4476c	`OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE,`
Packit	c4476c	`OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,`
Packit	c4476c	`OPT_V_ENUM, OPT_NAMEOPT,`
Packit	c4476c	`OPT_VERBOSE`
Packit	c4476c	`} OPTION_CHOICE;`
Packit	c4476c
Packit	c4476c	`const OPTIONS verify_options[] = {`
Packit	c4476c	`{OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},`
Packit	c4476c	`{OPT_HELP_STR, 1, '-', "Valid options are:\n"},`
Packit	c4476c	`{"help", OPT_HELP, '-', "Display this summary"},`
Packit	c4476c	`{"verbose", OPT_VERBOSE, '-',`
Packit	c4476c	`"Print extra information about the operations being performed."},`
Packit	c4476c	`{"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"},`
Packit	c4476c	`{"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},`
Packit	c4476c	`{"no-CAfile", OPT_NOCAFILE, '-',`
Packit	c4476c	`"Do not load the default certificates file"},`
Packit	c4476c	`{"no-CApath", OPT_NOCAPATH, '-',`
Packit	c4476c	`"Do not load certificates from the default certificates directory"},`
Packit	c4476c	`{"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"},`
Packit	c4476c	`{"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},`
Packit	c4476c	`{"CRLfile", OPT_CRLFILE, '<',`
Packit	c4476c	`"File containing one or more CRL's (in PEM format) to load"},`
Packit	c4476c	`{"crl_download", OPT_CRL_DOWNLOAD, '-',`
Packit	c4476c	`"Attempt to download CRL information for this certificate"},`
Packit	c4476c	`{"show_chain", OPT_SHOW_CHAIN, '-',`
Packit	c4476c	`"Display information about the certificate chain"},`
Packit	c4476c	`{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},`
Packit	c4476c	`OPT_V_OPTIONS,`
Packit	c4476c	`#ifndef OPENSSL_NO_ENGINE`
Packit	c4476c	`{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},`
Packit	c4476c	`#endif`
Packit	c4476c	`{NULL}`
Packit	c4476c	`};`
Packit	c4476c
Packit	c4476c	`int verify_main(int argc, char **argv)`
Packit	c4476c	`{`
Packit	c4476c	`ENGINE *e = NULL;`
Packit	c4476c	`STACK_OF(X509) untrusted = NULL, trusted = NULL;`
Packit	c4476c	`STACK_OF(X509_CRL) *crls = NULL;`
Packit	c4476c	`X509_STORE *store = NULL;`
Packit	c4476c	`X509_VERIFY_PARAM *vpm = NULL;`
Packit	c4476c	`const char prog, CApath = NULL, *CAfile = NULL;`
Packit	c4476c	`int noCApath = 0, noCAfile = 0;`
Packit	c4476c	`int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;`
Packit	c4476c	`OPTION_CHOICE o;`
Packit	c4476c
Packit	c4476c	`if ((vpm = X509_VERIFY_PARAM_new()) == NULL)`
Packit	c4476c	`goto end;`
Packit	c4476c
Packit	c4476c	`prog = opt_init(argc, argv, verify_options);`
Packit	c4476c	`while ((o = opt_next()) != OPT_EOF) {`
Packit	c4476c	`switch (o) {`
Packit	c4476c	`case OPT_EOF:`
Packit	c4476c	`case OPT_ERR:`
Packit	c4476c	`BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);`
Packit	c4476c	`goto end;`
Packit	c4476c	`case OPT_HELP:`
Packit	c4476c	`opt_help(verify_options);`
Packit	c4476c	`BIO_printf(bio_err, "Recognized usages:\n");`
Packit	c4476c	`for (i = 0; i < X509_PURPOSE_get_count(); i++) {`
Packit	c4476c	`X509_PURPOSE *ptmp;`
Packit	c4476c	`ptmp = X509_PURPOSE_get0(i);`
Packit	c4476c	`BIO_printf(bio_err, "\t%-10s\t%s\n",`
Packit	c4476c	`X509_PURPOSE_get0_sname(ptmp),`
Packit	c4476c	`X509_PURPOSE_get0_name(ptmp));`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`BIO_printf(bio_err, "Recognized verify names:\n");`
Packit	c4476c	`for (i = 0; i < X509_VERIFY_PARAM_get_count(); i++) {`
Packit	c4476c	`const X509_VERIFY_PARAM *vptmp;`
Packit	c4476c	`vptmp = X509_VERIFY_PARAM_get0(i);`
Packit	c4476c	`BIO_printf(bio_err, "\t%-10s\n",`
Packit	c4476c	`X509_VERIFY_PARAM_get0_name(vptmp));`
Packit	c4476c	`}`
Packit	c4476c	`ret = 0;`
Packit	c4476c	`goto end;`
Packit	c4476c	`case OPT_V_CASES:`
Packit	c4476c	`if (!opt_verify(o, vpm))`
Packit	c4476c	`goto end;`
Packit	c4476c	`vpmtouched++;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_CAPATH:`
Packit	c4476c	`CApath = opt_arg();`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_CAFILE:`
Packit	c4476c	`CAfile = opt_arg();`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_NOCAPATH:`
Packit	c4476c	`noCApath = 1;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_NOCAFILE:`
Packit	c4476c	`noCAfile = 1;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_UNTRUSTED:`
Packit	c4476c	`/* Zero or more times */`
Packit	c4476c	`if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL,`
Packit	c4476c	`"untrusted certificates"))`
Packit	c4476c	`goto end;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_TRUSTED:`
Packit	c4476c	`/* Zero or more times */`
Packit	c4476c	`noCAfile = 1;`
Packit	c4476c	`noCApath = 1;`
Packit	c4476c	`if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL,`
Packit	c4476c	`"trusted certificates"))`
Packit	c4476c	`goto end;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_CRLFILE:`
Packit	c4476c	`/* Zero or more times */`
Packit	c4476c	`if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL,`
Packit	c4476c	`"other CRLs"))`
Packit	c4476c	`goto end;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_CRL_DOWNLOAD:`
Packit	c4476c	`crl_download = 1;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_ENGINE:`
Packit	c4476c	`if ((e = setup_engine(opt_arg(), 0)) == NULL) {`
Packit	c4476c	`/* Failure message already displayed */`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_SHOW_CHAIN:`
Packit	c4476c	`show_chain = 1;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_NAMEOPT:`
Packit	c4476c	`if (!set_nameopt(opt_arg()))`
Packit	c4476c	`goto end;`
Packit	c4476c	`break;`
Packit	c4476c	`case OPT_VERBOSE:`
Packit	c4476c	`v_verbose = 1;`
Packit	c4476c	`break;`
Packit	c4476c	`}`
Packit	c4476c	`}`
Packit	c4476c	`argc = opt_num_rest();`
Packit	c4476c	`argv = opt_rest();`
Packit	c4476c	`if (trusted != NULL && (CAfile \|\| CApath)) {`
Packit	c4476c	`BIO_printf(bio_err,`
Packit	c4476c	`"%s: Cannot use -trusted with -CAfile or -CApath\n",`
Packit	c4476c	`prog);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)`
Packit	c4476c	`goto end;`
Packit	c4476c	`X509_STORE_set_verify_cb(store, cb);`
Packit	c4476c
Packit	c4476c	`if (vpmtouched)`
Packit	c4476c	`X509_STORE_set1_param(store, vpm);`
Packit	c4476c
Packit	c4476c	`ERR_clear_error();`
Packit	c4476c
Packit	c4476c	`if (crl_download)`
Packit	c4476c	`store_setup_crl_download(store);`
Packit	c4476c
Packit	c4476c	`ret = 0;`
Packit	c4476c	`if (argc < 1) {`
Packit	c4476c	`if (check(store, NULL, untrusted, trusted, crls, show_chain) != 1)`
Packit	c4476c	`ret = -1;`
Packit	c4476c	`} else {`
Packit	c4476c	`for (i = 0; i < argc; i++)`
Packit	c4476c	`if (check(store, argv[i], untrusted, trusted, crls,`
Packit	c4476c	`show_chain) != 1)`
Packit	c4476c	`ret = -1;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`end:`
Packit	c4476c	`X509_VERIFY_PARAM_free(vpm);`
Packit	c4476c	`X509_STORE_free(store);`
Packit	c4476c	`sk_X509_pop_free(untrusted, X509_free);`
Packit	c4476c	`sk_X509_pop_free(trusted, X509_free);`
Packit	c4476c	`sk_X509_CRL_pop_free(crls, X509_CRL_free);`
Packit	c4476c	`release_engine(e);`
Packit	c4476c	`return (ret < 0 ? 2 : ret);`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int check(X509_STORE ctx, const char file,`
Packit	c4476c	`STACK_OF(X509) uchain, STACK_OF(X509) tchain,`
Packit	c4476c	`STACK_OF(X509_CRL) *crls, int show_chain)`
Packit	c4476c	`{`
Packit	c4476c	`X509 *x = NULL;`
Packit	c4476c	`int i = 0, ret = 0;`
Packit	c4476c	`X509_STORE_CTX *csc;`
Packit	c4476c	`STACK_OF(X509) *chain = NULL;`
Packit	c4476c	`int num_untrusted;`
Packit	c4476c
Packit	c4476c	`x = load_cert(file, FORMAT_PEM, "certificate file");`
Packit	c4476c	`if (x == NULL)`
Packit	c4476c	`goto end;`
Packit	c4476c
Packit	c4476c	`csc = X509_STORE_CTX_new();`
Packit	c4476c	`if (csc == NULL) {`
Packit	c4476c	`printf("error %s: X.509 store context allocation failed\n",`
Packit	c4476c	`(file == NULL) ? "stdin" : file);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`X509_STORE_set_flags(ctx, vflags);`
Packit	c4476c	`if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {`
Packit	c4476c	`X509_STORE_CTX_free(csc);`
Packit	c4476c	`printf("error %s: X.509 store context initialization failed\n",`
Packit	c4476c	`(file == NULL) ? "stdin" : file);`
Packit	c4476c	`goto end;`
Packit	c4476c	`}`
Packit	c4476c	`if (tchain != NULL)`
Packit	c4476c	`X509_STORE_CTX_set0_trusted_stack(csc, tchain);`
Packit	c4476c	`if (crls != NULL)`
Packit	c4476c	`X509_STORE_CTX_set0_crls(csc, crls);`
Packit	c4476c	`i = X509_verify_cert(csc);`
Packit	c4476c	`if (i > 0 && X509_STORE_CTX_get_error(csc) == X509_V_OK) {`
Packit	c4476c	`printf("%s: OK\n", (file == NULL) ? "stdin" : file);`
Packit	c4476c	`ret = 1;`
Packit	c4476c	`if (show_chain) {`
Packit	c4476c	`int j;`
Packit	c4476c
Packit	c4476c	`chain = X509_STORE_CTX_get1_chain(csc);`
Packit	c4476c	`num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);`
Packit	c4476c	`printf("Chain:\n");`
Packit	c4476c	`for (j = 0; j < sk_X509_num(chain); j++) {`
Packit	c4476c	`X509 *cert = sk_X509_value(chain, j);`
Packit	c4476c	`printf("depth=%d: ", j);`
Packit	c4476c	`X509_NAME_print_ex_fp(stdout,`
Packit	c4476c	`X509_get_subject_name(cert),`
Packit	c4476c	`0, get_nameopt());`
Packit	c4476c	`if (j < num_untrusted)`
Packit	c4476c	`printf(" (untrusted)");`
Packit	c4476c	`printf("\n");`
Packit	c4476c	`}`
Packit	c4476c	`sk_X509_pop_free(chain, X509_free);`
Packit	c4476c	`}`
Packit	c4476c	`} else {`
Packit	c4476c	`printf("error %s: verification failed\n", (file == NULL) ? "stdin" : file);`
Packit	c4476c	`}`
Packit	c4476c	`X509_STORE_CTX_free(csc);`
Packit	c4476c
Packit	c4476c	`end:`
Packit	c4476c	`if (i <= 0)`
Packit	c4476c	`ERR_print_errors(bio_err);`
Packit	c4476c	`X509_free(x);`
Packit	c4476c
Packit	c4476c	`return ret;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`static int cb(int ok, X509_STORE_CTX *ctx)`
Packit	c4476c	`{`
Packit	c4476c	`int cert_error = X509_STORE_CTX_get_error(ctx);`
Packit	c4476c	`X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);`
Packit	c4476c
Packit	c4476c	`if (!ok) {`
Packit	c4476c	`if (current_cert != NULL) {`
Packit	c4476c	`X509_NAME_print_ex(bio_err,`
Packit	c4476c	`X509_get_subject_name(current_cert),`
Packit	c4476c	`0, get_nameopt());`
Packit	c4476c	`BIO_printf(bio_err, "\n");`
Packit	c4476c	`}`
Packit	c4476c	`BIO_printf(bio_err, "%serror %d at %d depth lookup: %s\n",`
Packit	c4476c	`X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "",`
Packit	c4476c	`cert_error,`
Packit	c4476c	`X509_STORE_CTX_get_error_depth(ctx),`
Packit	c4476c	`X509_verify_cert_error_string(cert_error));`
Packit	c4476c
Packit	c4476c	`/*`
Packit	c4476c	`* Pretend that some errors are ok, so they don't stop further`
Packit	c4476c	`* processing of the certificate chain. Setting ok = 1 does this.`
Packit	c4476c	`* After X509_verify_cert() is done, we verify that there were`
Packit	c4476c	`* no actual errors, even if the returned value was positive.`
Packit	c4476c	`*/`
Packit	c4476c	`switch (cert_error) {`
Packit	c4476c	`case X509_V_ERR_NO_EXPLICIT_POLICY:`
Packit	c4476c	`policies_print(ctx);`
Packit	c4476c	`/* fall thru */`
Packit	c4476c	`case X509_V_ERR_CERT_HAS_EXPIRED:`
Packit	c4476c	`/* Continue even if the leaf is a self signed cert */`
Packit	c4476c	`case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:`
Packit	c4476c	`/* Continue after extension errors too */`
Packit	c4476c	`case X509_V_ERR_INVALID_CA:`
Packit	c4476c	`case X509_V_ERR_INVALID_NON_CA:`
Packit	c4476c	`case X509_V_ERR_PATH_LENGTH_EXCEEDED:`
Packit	c4476c	`case X509_V_ERR_INVALID_PURPOSE:`
Packit	c4476c	`case X509_V_ERR_CRL_HAS_EXPIRED:`
Packit	c4476c	`case X509_V_ERR_CRL_NOT_YET_VALID:`
Packit	c4476c	`case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:`
Packit	c4476c	`ok = 1;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`return ok;`
Packit	c4476c
Packit	c4476c	`}`
Packit	c4476c	`if (cert_error == X509_V_OK && ok == 2)`
Packit	c4476c	`policies_print(ctx);`
Packit	c4476c	`if (!v_verbose)`
Packit	c4476c	`ERR_clear_error();`
Packit	c4476c	`return ok;`
Packit	c4476c	`}`

source-git / openssl

Source Code

Blame apps/verify.c