diff options
| author |   beck <beck@openbsd.org> | 2002-05-15 02:29:01 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2002-05-15 02:29:01 +0000 |
| commit | da347917d3d3e5d3ece379d298f4e183b4828151 (patch) | |
| tree | 4667bec6fb5a5191ed165d4bf727adbb97475bcb /lib/libssl/src/apps/verify.c | |
| parent | OpenSSL 0.9.7 (diff) | |
| download | wireguard-openbsd-da347917d3d3e5d3ece379d298f4e183b4828151.tar.xz wireguard-openbsd-da347917d3d3e5d3ece379d298f4e183b4828151.zip | |
OpenSSL 0.9.7 stable 2002 05 08 merge
Diffstat (limited to 'lib/libssl/src/apps/verify.c')
| -rw-r--r-- | lib/libssl/src/apps/verify.c | 82 |
1 files changed, 28 insertions, 54 deletions
diff --git a/lib/libssl/src/apps/verify.c b/lib/libssl/src/apps/verify.c index f384de6d296..215ef84fc75 100644 --- a/lib/libssl/src/apps/verify.c +++ b/lib/libssl/src/apps/verify.c @@ -65,15 +65,14 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> #include <openssl/pem.h> -#include <openssl/engine.h> #undef PROG #define PROG verify_main static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx); -static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose); +static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e); static STACK_OF(X509) *load_untrusted(char *file); -static int v_verbose=0, issuer_checks = 0; +static int v_verbose=0, vflags = 0; int MAIN(int, char **); @@ -101,6 +100,9 @@ int MAIN(int argc, char **argv) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + if (!load_config(bio_err, NULL)) + goto end; + argc--; argv++; for (;;) @@ -147,8 +149,14 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-help") == 0) goto end; + else if (strcmp(*argv,"-ignore_critical") == 0) + vflags |= X509_V_FLAG_IGNORE_CRITICAL; else if (strcmp(*argv,"-issuer_checks") == 0) - issuer_checks=1; + vflags |= X509_V_FLAG_CB_ISSUER_CHECK; + else if (strcmp(*argv,"-crl_check") == 0) + vflags |= X509_V_FLAG_CRL_CHECK; + else if (strcmp(*argv,"-crl_check_all") == 0) + vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; else if (strcmp(*argv,"-verbose") == 0) v_verbose=1; else if (argv[0][0] == '-') @@ -162,23 +170,7 @@ int MAIN(int argc, char **argv) break; } - if (engine != NULL) - { - if((e = ENGINE_by_id(engine)) == NULL) - { - BIO_printf(bio_err,"invalid engine \"%s\"\n", - engine); - goto end; - } - if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) - { - BIO_printf(bio_err,"can't use that engine\n"); - goto end; - } - BIO_printf(bio_err,"engine \"%s\" set.\n", engine); - /* Free our "structural" reference. */ - ENGINE_free(e); - } + e = setup_engine(bio_err, engine, 0); lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()); if (lookup == NULL) abort(); @@ -220,14 +212,14 @@ int MAIN(int argc, char **argv) } } - if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, purpose); + if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, purpose, e); else for (i=0; i<argc; i++) - check(cert_ctx,argv[i], untrusted, trusted, purpose); + check(cert_ctx,argv[i], untrusted, trusted, purpose, e); ret=0; end: if (ret == 1) { - BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-engine e] cert1 cert2 ...\n"); + BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...\n"); BIO_printf(bio_err,"recognized usages:\n"); for(i = 0; i < X509_PURPOSE_get_count(); i++) { X509_PURPOSE *ptmp; @@ -239,42 +231,19 @@ end: if (cert_ctx != NULL) X509_STORE_free(cert_ctx); sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); + apps_shutdown(); EXIT(ret); } -static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose) +static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e) { X509 *x=NULL; - BIO *in=NULL; int i=0,ret=0; X509_STORE_CTX *csc; - in=BIO_new(BIO_s_file()); - if (in == NULL) - { - ERR_print_errors(bio_err); - goto end; - } - - if (file == NULL) - BIO_set_fp(in,stdin,BIO_NOCLOSE); - else - { - if (BIO_read_filename(in,file) <= 0) - { - perror(file); - goto end; - } - } - - x=PEM_read_bio_X509(in,NULL,NULL,NULL); + x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file"); if (x == NULL) - { - fprintf(stdout,"%s: unable to load certificate file\n", - (file == NULL)?"stdin":file); - ERR_print_errors(bio_err); goto end; - } fprintf(stdout,"%s: ",(file == NULL)?"stdin":file); csc = X509_STORE_CTX_new(); @@ -283,11 +252,14 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X ERR_print_errors(bio_err); goto end; } - X509_STORE_CTX_init(csc,ctx,x,uchain); + X509_STORE_set_flags(ctx, vflags); + if(!X509_STORE_CTX_init(csc,ctx,x,uchain)) + { + ERR_print_errors(bio_err); + goto end; + } if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain); if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose); - if(issuer_checks) - X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CB_ISSUER_CHECK); i=X509_verify_cert(csc); X509_STORE_CTX_free(csc); @@ -301,7 +273,6 @@ end: else ERR_print_errors(bio_err); if (x != NULL) X509_free(x); - if (in != NULL) BIO_free(in); return(ret); } @@ -375,6 +346,9 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; + if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1; + if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1; + if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1; } if (!v_verbose) ERR_clear_error(); |