Blame - lib/openssl/apps/verify.c - kernel/lk

blob: 9163997e93c5e62118ba841f1e40352eedfa172a [file] [log] [blame]

Kinson Chik	a8fa74c	2011-07-29 11:33:41 -0700	[diff] [blame]	1	/* apps/verify.c */
				2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
				3	* All rights reserved.
				4	*
				5	* This package is an SSL implementation written
				6	* by Eric Young (eay@cryptsoft.com).
				7	* The implementation was written so as to conform with Netscapes SSL.
				8	*
				9	* This library is free for commercial and non-commercial use as long as
				10	* the following conditions are aheared to. The following conditions
				11	* apply to all code found in this distribution, be it the RC4, RSA,
				12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
				13	* included with this distribution is covered by the same copyright terms
				14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
				15	*
				16	* Copyright remains Eric Young's, and as such any Copyright notices in
				17	* the code are not to be removed.
				18	* If this package is used in a product, Eric Young should be given attribution
				19	* as the author of the parts of the library used.
				20	* This can be in the form of a textual message at program startup or
				21	* in documentation (online or textual) provided with the package.
				22	*
				23	* Redistribution and use in source and binary forms, with or without
				24	* modification, are permitted provided that the following conditions
				25	* are met:
				26	* 1. Redistributions of source code must retain the copyright
				27	* notice, this list of conditions and the following disclaimer.
				28	* 2. Redistributions in binary form must reproduce the above copyright
				29	* notice, this list of conditions and the following disclaimer in the
				30	* documentation and/or other materials provided with the distribution.
				31	* 3. All advertising materials mentioning features or use of this software
				32	* must display the following acknowledgement:
				33	* "This product includes cryptographic software written by
				34	* Eric Young (eay@cryptsoft.com)"
				35	* The word 'cryptographic' can be left out if the rouines from the library
				36	* being used are not cryptographic related :-).
				37	* 4. If you include any Windows specific code (or a derivative thereof) from
				38	* the apps directory (application code) you must include an acknowledgement:
				39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
				40	*
				41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
				42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
				43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
				44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
				45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
				46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
				47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
				48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
				49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
				50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
				51	* SUCH DAMAGE.
				52	*
				53	* The licence and distribution terms for any publically available version or
				54	* derivative of this code cannot be changed. i.e. this code cannot simply be
				55	* copied and put under another distribution licence
				56	* [including the GNU Public Licence.]
				57	*/
				58
				59	#include <stdio.h>
				60	#include <stdlib.h>
				61	#include <string.h>
				62	#include "apps.h"
				63	#include <openssl/bio.h>
				64	#include <openssl/err.h>
				65	#include <openssl/x509.h>
				66	#include <openssl/x509v3.h>
				67	#include <openssl/pem.h>
				68
				69	#undef PROG
				70	#define PROG verify_main
				71
				72	static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
				73	static int check(X509_STORE ctx, char file,
				74	STACK_OF(X509) uchain, STACK_OF(X509) tchain,
				75	STACK_OF(X509_CRL) crls, ENGINE e);
				76	static int v_verbose=0, vflags = 0;
				77
				78	int MAIN(int, char **);
				79
				80	int MAIN(int argc, char **argv)
				81	{
				82	ENGINE *e = NULL;
				83	int i,ret=1, badarg = 0;
				84	char CApath=NULL,CAfile=NULL;
				85	char untfile = NULL, trustfile = NULL, *crlfile = NULL;
				86	STACK_OF(X509) untrusted = NULL, trusted = NULL;
				87	STACK_OF(X509_CRL) *crls = NULL;
				88	X509_STORE *cert_ctx=NULL;
				89	X509_LOOKUP *lookup=NULL;
				90	X509_VERIFY_PARAM *vpm = NULL;
				91	#ifndef OPENSSL_NO_ENGINE
				92	char *engine=NULL;
				93	#endif
				94
				95	cert_ctx=X509_STORE_new();
				96	if (cert_ctx == NULL) goto end;
				97	X509_STORE_set_verify_cb(cert_ctx,cb);
				98
				99	ERR_load_crypto_strings();
				100
				101	apps_startup();
				102
				103	if (bio_err == NULL)
				104	if ((bio_err=BIO_new(BIO_s_file())) != NULL)
				105	BIO_set_fp(bio_err,stderr,BIO_NOCLOSE\|BIO_FP_TEXT);
				106
				107	if (!load_config(bio_err, NULL))
				108	goto end;
				109
				110	argc--;
				111	argv++;
				112	for (;;)
				113	{
				114	if (argc >= 1)
				115	{
				116	if (strcmp(*argv,"-CApath") == 0)
				117	{
				118	if (argc-- < 1) goto end;
				119	CApath= *(++argv);
				120	}
				121	else if (strcmp(*argv,"-CAfile") == 0)
				122	{
				123	if (argc-- < 1) goto end;
				124	CAfile= *(++argv);
				125	}
				126	else if (args_verify(&argv, &argc, &badarg, bio_err,
				127	&vpm))
				128	{
				129	if (badarg)
				130	goto end;
				131	continue;
				132	}
				133	else if (strcmp(*argv,"-untrusted") == 0)
				134	{
				135	if (argc-- < 1) goto end;
				136	untfile= *(++argv);
				137	}
				138	else if (strcmp(*argv,"-trusted") == 0)
				139	{
				140	if (argc-- < 1) goto end;
				141	trustfile= *(++argv);
				142	}
				143	else if (strcmp(*argv,"-CRLfile") == 0)
				144	{
				145	if (argc-- < 1) goto end;
				146	crlfile= *(++argv);
				147	}
				148	#ifndef OPENSSL_NO_ENGINE
				149	else if (strcmp(*argv,"-engine") == 0)
				150	{
				151	if (--argc < 1) goto end;
				152	engine= *(++argv);
				153	}
				154	#endif
				155	else if (strcmp(*argv,"-help") == 0)
				156	goto end;
				157	else if (strcmp(*argv,"-verbose") == 0)
				158	v_verbose=1;
				159	else if (argv[0][0] == '-')
				160	goto end;
				161	else
				162	break;
				163	argc--;
				164	argv++;
				165	}
				166	else
				167	break;
				168	}
				169
				170	#ifndef OPENSSL_NO_ENGINE
				171	e = setup_engine(bio_err, engine, 0);
				172	#endif
				173
				174	if (vpm)
				175	X509_STORE_set1_param(cert_ctx, vpm);
				176
				177	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
				178	if (lookup == NULL) abort();
				179	if (CAfile) {
				180	i=X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM);
				181	if(!i) {
				182	BIO_printf(bio_err, "Error loading file %s\n", CAfile);
				183	ERR_print_errors(bio_err);
				184	goto end;
				185	}
				186	} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
				187
				188	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir());
				189	if (lookup == NULL) abort();
				190	if (CApath) {
				191	i=X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM);
				192	if(!i) {
				193	BIO_printf(bio_err, "Error loading directory %s\n", CApath);
				194	ERR_print_errors(bio_err);
				195	goto end;
				196	}
				197	} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
				198
				199	ERR_clear_error();
				200
				201	if(untfile)
				202	{
				203	untrusted = load_certs(bio_err, untfile, FORMAT_PEM,
				204	NULL, e, "untrusted certificates");
				205	if(!untrusted)
				206	goto end;
				207	}
				208
				209	if(trustfile)
				210	{
				211	trusted = load_certs(bio_err, trustfile, FORMAT_PEM,
				212	NULL, e, "trusted certificates");
				213	if(!trusted)
				214	goto end;
				215	}
				216
				217	if(crlfile)
				218	{
				219	crls = load_crls(bio_err, crlfile, FORMAT_PEM,
				220	NULL, e, "other CRLs");
				221	if(!crls)
				222	goto end;
				223	}
				224
				225	if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
				226	else
				227	for (i=0; i<argc; i++)
				228	check(cert_ctx,argv[i], untrusted, trusted, crls, e);
				229	ret=0;
				230	end:
				231	if (ret == 1) {
				232	BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
				233	#ifndef OPENSSL_NO_ENGINE
				234	BIO_printf(bio_err," [-engine e]");
				235	#endif
				236	BIO_printf(bio_err," cert1 cert2 ...\n");
				237	BIO_printf(bio_err,"recognized usages:\n");
				238	for(i = 0; i < X509_PURPOSE_get_count(); i++) {
				239	X509_PURPOSE *ptmp;
				240	ptmp = X509_PURPOSE_get0(i);
				241	BIO_printf(bio_err, "\t%-10s\t%s\n", X509_PURPOSE_get0_sname(ptmp),
				242	X509_PURPOSE_get0_name(ptmp));
				243	}
				244	}
				245	if (vpm) X509_VERIFY_PARAM_free(vpm);
				246	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
				247	sk_X509_pop_free(untrusted, X509_free);
				248	sk_X509_pop_free(trusted, X509_free);
				249	sk_X509_CRL_pop_free(crls, X509_CRL_free);
				250	apps_shutdown();
				251	OPENSSL_EXIT(ret);
				252	}
				253
				254	static int check(X509_STORE ctx, char file,
				255	STACK_OF(X509) uchain, STACK_OF(X509) tchain,
				256	STACK_OF(X509_CRL) crls, ENGINE e)
				257	{
				258	X509 *x=NULL;
				259	int i=0,ret=0;
				260	X509_STORE_CTX *csc;
				261
				262	x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
				263	if (x == NULL)
				264	goto end;
				265	fprintf(stdout,"%s: ",(file == NULL)?"stdin":file);
				266
				267	csc = X509_STORE_CTX_new();
				268	if (csc == NULL)
				269	{
				270	ERR_print_errors(bio_err);
				271	goto end;
				272	}
				273	X509_STORE_set_flags(ctx, vflags);
				274	if(!X509_STORE_CTX_init(csc,ctx,x,uchain))
				275	{
				276	ERR_print_errors(bio_err);
				277	goto end;
				278	}
				279	if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain);
				280	if (crls)
				281	X509_STORE_CTX_set0_crls(csc, crls);
				282	i=X509_verify_cert(csc);
				283	X509_STORE_CTX_free(csc);
				284
				285	ret=0;
				286	end:
				287	if (i > 0)
				288	{
				289	fprintf(stdout,"OK\n");
				290	ret=1;
				291	}
				292	else
				293	ERR_print_errors(bio_err);
				294	if (x != NULL) X509_free(x);
				295
				296	return(ret);
				297	}
				298
				299	static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
				300	{
				301	int cert_error = X509_STORE_CTX_get_error(ctx);
				302	X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
				303
				304	if (!ok)
				305	{
				306	if (current_cert)
				307	{
				308	X509_NAME_print_ex_fp(stdout,
				309	X509_get_subject_name(current_cert),
				310	0, XN_FLAG_ONELINE);
				311	printf("\n");
				312	}
				313	printf("%serror %d at %d depth lookup:%s\n",
				314	X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
				315	cert_error,
				316	X509_STORE_CTX_get_error_depth(ctx),
				317	X509_verify_cert_error_string(cert_error));
				318	switch(cert_error)
				319	{
				320	case X509_V_ERR_NO_EXPLICIT_POLICY:
				321	policies_print(NULL, ctx);
				322	case X509_V_ERR_CERT_HAS_EXPIRED:
				323
				324	/* since we are just checking the certificates, it is
				325	* ok if they are self signed. But we should still warn
				326	* the user.
				327	*/
				328
				329	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
				330	/* Continue after extension errors too */
				331	case X509_V_ERR_INVALID_CA:
				332	case X509_V_ERR_INVALID_NON_CA:
				333	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
				334	case X509_V_ERR_INVALID_PURPOSE:
				335	case X509_V_ERR_CRL_HAS_EXPIRED:
				336	case X509_V_ERR_CRL_NOT_YET_VALID:
				337	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
				338	ok = 1;
				339
				340	}
				341
				342	return ok;
				343
				344	}
				345	if (cert_error == X509_V_OK && ok == 2)
				346	policies_print(NULL, ctx);
				347	if (!v_verbose)
				348	ERR_clear_error();
				349	return(ok);
				350	}