mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-06-27 15:43:42 +08:00
Update certverify
This commit is contained in:
Zhi Guan
@@ -841,7 +841,7 @@ endif()
|
|||||||
#
|
#
|
||||||
set(CPACK_PACKAGE_NAME "GmSSL")
|
set(CPACK_PACKAGE_NAME "GmSSL")
|
||||||
set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
|
set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
|
||||||
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1122")
|
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1123")
|
||||||
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
|
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
|
||||||
set(CPACK_NSIS_MODIFY_PATH ON)
|
set(CPACK_NSIS_MODIFY_PATH ON)
|
||||||
include(CPack)
|
include(CPack)
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ extern "C" {
|
|||||||
|
|
||||||
|
|
||||||
#define GMSSL_VERSION_NUM 30200
|
#define GMSSL_VERSION_NUM 30200
|
||||||
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1122"
|
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1123"
|
||||||
|
|
||||||
int gmssl_version_num(void);
|
int gmssl_version_num(void);
|
||||||
const char *gmssl_version_str(void);
|
const char *gmssl_version_str(void);
|
||||||
|
|||||||
@@ -142,6 +142,8 @@ typedef enum {
|
|||||||
|
|
||||||
int x509_general_name_to_der(int choice, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen);
|
int x509_general_name_to_der(int choice, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen);
|
||||||
int x509_general_name_from_der(int *choice, const uint8_t **d, size_t *dlen, const uint8_t **in, size_t *inlen);
|
int x509_general_name_from_der(int *choice, const uint8_t **d, size_t *dlen, const uint8_t **in, size_t *inlen);
|
||||||
|
int x509_general_name_normalized_equ(int a_choice, const uint8_t *a, size_t alen,
|
||||||
|
int b_choice, const uint8_t *b, size_t blen);
|
||||||
int x509_general_names_get_first(const uint8_t *gns, size_t gns_len, const uint8_t **ptr, int choice, const uint8_t **d, size_t *dlen);
|
int x509_general_names_get_first(const uint8_t *gns, size_t gns_len, const uint8_t **ptr, int choice, const uint8_t **d, size_t *dlen);
|
||||||
int x509_general_names_get_next(const uint8_t *gns, size_t gns_len, const uint8_t **ptr, int choice, const uint8_t **d, size_t *dlen);
|
int x509_general_names_get_next(const uint8_t *gns, size_t gns_len, const uint8_t **ptr, int choice, const uint8_t **d, size_t *dlen);
|
||||||
int x509_general_name_print(FILE *fp, int fmt, int ind, const char *label, int choice, const uint8_t *d, size_t dlen);
|
int x509_general_name_print(FILE *fp, int fmt, int ind, const char *label, int choice, const uint8_t *d, size_t dlen);
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2014-2023 The GmSSL Project. All Rights Reserved.
|
* Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the License); you may
|
* Licensed under the Apache License, Version 2.0 (the License); you may
|
||||||
* not use this file except in compliance with the License.
|
* not use this file except in compliance with the License.
|
||||||
@@ -9,127 +9,163 @@
|
|||||||
|
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <errno.h>
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <gmssl/hex.h>
|
#include <gmssl/file.h>
|
||||||
#include <gmssl/x509.h>
|
#include <gmssl/x509.h>
|
||||||
#include <gmssl/x509_crl.h>
|
#include <gmssl/x509_ext.h>
|
||||||
#include <gmssl/error.h>
|
#include <gmssl/error.h>
|
||||||
|
|
||||||
|
|
||||||
static const char *usage =
|
enum {
|
||||||
" -in pem [-double_certs]"
|
TLS_cert_chain_tlcp_server = 1,
|
||||||
" [-check_crl]"
|
TLS_cert_chain_server,
|
||||||
" -cacert pem"
|
TLS_cert_chain_client,
|
||||||
" [-sm2_id str | -sm2_id_hex hex]"
|
};
|
||||||
"\n";
|
|
||||||
|
|
||||||
static const char *options =
|
static const char *usage =
|
||||||
|
"-in pem [-tlcp_server|-server|-client] -cacert pem"
|
||||||
|
" [-crl der] [-ocsp der] [-hostname str]";
|
||||||
|
|
||||||
|
static const char *help =
|
||||||
"Options\n"
|
"Options\n"
|
||||||
"\n"
|
"\n"
|
||||||
" -in pem Input certificate chain file in PEM format\n"
|
" -in pem Certificate chain in PEM format\n"
|
||||||
" -double_certs The first two certificates are SM2 signing and encryption entity certificate\n"
|
" -tlcp_server Verify TLCP server certificate chain, default\n"
|
||||||
" -check_crl If the entity certificate has CRLDistributionPoints extension, Download and check againt the CRL\n"
|
" -server Verify TLS server certificate chain\n"
|
||||||
" -cacert pem CA certificate\n"
|
" -client Verify TLS client certificate chain\n"
|
||||||
" -sm2_id str Signer's ID in SM2 signature algorithm\n"
|
" -cacert pem Trusted CA certificate(s) in PEM format\n"
|
||||||
" -sm2_id_hex hex Signer's ID in hex format\n"
|
" -crl der CRL in DER format\n"
|
||||||
" When `-sm2_id` or `-sm2_id_hex` is specified,\n"
|
" -ocsp der OCSPResponse in DER format\n"
|
||||||
" must use the same ID in other commands explicitly.\n"
|
" -hostname str Server hostname for certificate verification\n"
|
||||||
" If neither `-sm2_id` nor `-sm2_id_hex` is specified,\n"
|
"\n"
|
||||||
" the default string '1234567812345678' is used\n"
|
"Examples\n"
|
||||||
|
"\n"
|
||||||
|
" gmssl certverify -tlcp_server -in certs.pem -cacert cacerts.pem -hostname localhost\n"
|
||||||
"\n";
|
"\n";
|
||||||
|
|
||||||
|
static int cert_match_server_name_normalized(const uint8_t *cert, size_t certlen,
|
||||||
|
const char *hostname)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
const uint8_t *dns_name;
|
||||||
|
size_t dns_name_len;
|
||||||
|
|
||||||
|
if (!cert || !certlen || !hostname || !strlen(hostname)) {
|
||||||
|
error_print();
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if ((ret = x509_cert_get_subject_alt_name_dns_name(cert, certlen,
|
||||||
|
&dns_name, &dns_name_len)) < 0) {
|
||||||
|
error_print();
|
||||||
|
return -1;
|
||||||
|
} else if (ret == 0) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return x509_general_name_normalized_equ(X509_gn_dns_name, dns_name, dns_name_len,
|
||||||
|
X509_gn_dns_name, (const uint8_t *)hostname, strlen(hostname));
|
||||||
|
}
|
||||||
|
|
||||||
|
static const char *verify_result_name(int verify_result)
|
||||||
|
{
|
||||||
|
switch (verify_result) {
|
||||||
|
case X509_verify_ok:
|
||||||
|
return "ok";
|
||||||
|
case X509_verify_err_certificate:
|
||||||
|
return "certificate";
|
||||||
|
case X509_verify_err_cert_chain:
|
||||||
|
return "cert_chain";
|
||||||
|
case X509_verify_err_trust_anchor:
|
||||||
|
return "trust_anchor";
|
||||||
|
case X509_verify_err_depth:
|
||||||
|
return "depth";
|
||||||
|
case X509_verify_err_crl:
|
||||||
|
return "crl";
|
||||||
|
case X509_verify_err_ocsp:
|
||||||
|
return "ocsp";
|
||||||
|
case X509_verify_err_constraints:
|
||||||
|
return "constraints";
|
||||||
|
case X509_verify_err_tls_extensions:
|
||||||
|
return "tls_extensions";
|
||||||
|
case X509_verify_err_hostname:
|
||||||
|
return "hostname";
|
||||||
|
}
|
||||||
|
return "unknown";
|
||||||
|
}
|
||||||
|
|
||||||
int certverify_main(int argc, char **argv)
|
int certverify_main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
char *prog = argv[0];
|
char *prog = argv[0];
|
||||||
char *str;
|
|
||||||
|
|
||||||
char *infile = NULL;
|
char *infile = NULL;
|
||||||
char *cacertfile = NULL;
|
char *cacertfile = NULL;
|
||||||
FILE *infp = stdin;
|
char *crlfile = NULL;
|
||||||
FILE *cacertfp = NULL;
|
char *ocspfile = NULL;
|
||||||
uint8_t cert[8192];
|
char *hostname = NULL;
|
||||||
|
int chain_type = TLS_cert_chain_tlcp_server;
|
||||||
|
uint8_t *certs = NULL;
|
||||||
|
size_t certslen = 0;
|
||||||
|
uint8_t *cacerts = NULL;
|
||||||
|
size_t cacertslen = 0;
|
||||||
|
uint8_t *crl = NULL;
|
||||||
|
size_t crl_len = 0;
|
||||||
|
uint8_t *ocsp = NULL;
|
||||||
|
size_t ocsp_len = 0;
|
||||||
|
int certs_type = X509_cert_chain_server;
|
||||||
|
int verify_result = X509_verify_ok;
|
||||||
|
const uint8_t *cert;
|
||||||
size_t certlen;
|
size_t certlen;
|
||||||
uint8_t cacert[8192];
|
|
||||||
size_t cacertlen;
|
|
||||||
char signer_id[SM2_MAX_ID_LENGTH + 1] = {0};
|
|
||||||
size_t signer_id_len = 0;
|
|
||||||
|
|
||||||
const uint8_t *serial;
|
|
||||||
size_t serial_len;
|
|
||||||
const uint8_t *issuer;
|
|
||||||
size_t issuer_len;
|
|
||||||
const uint8_t *subject;
|
|
||||||
size_t subject_len;
|
|
||||||
|
|
||||||
const uint8_t *enc_serial;
|
|
||||||
size_t enc_serial_len;
|
|
||||||
const uint8_t *enc_issuer;
|
|
||||||
size_t enc_issuer_len;
|
|
||||||
const uint8_t *enc_subject;
|
|
||||||
size_t enc_subject_len;
|
|
||||||
|
|
||||||
int double_certs = 0;
|
|
||||||
uint8_t enc_cert[8192];
|
|
||||||
size_t enc_cert_len;
|
|
||||||
int rv;
|
int rv;
|
||||||
|
|
||||||
int check_crl = 0;
|
|
||||||
int crl_ret;
|
|
||||||
|
|
||||||
argc--;
|
argc--;
|
||||||
argv++;
|
argv++;
|
||||||
|
|
||||||
if (argc < 1) {
|
if (argc < 1) {
|
||||||
fprintf(stderr, "usage: %s %s\n", prog, usage);
|
fprintf(stderr, "usage: gmssl %s %s\n", prog, usage);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
while (argc > 0) {
|
while (argc > 0) {
|
||||||
if (!strcmp(*argv, "-help")) {
|
if (!strcmp(*argv, "-help")) {
|
||||||
printf("usage: %s %s\n", prog, usage);
|
printf("usage: gmssl %s %s\n\n", prog, usage);
|
||||||
printf("%s\n", options);
|
printf("%s\n", help);
|
||||||
ret = 0;
|
ret = 0;
|
||||||
goto end;
|
goto end;
|
||||||
} else if (!strcmp(*argv, "-in")) {
|
} else if (!strcmp(*argv, "-in")) {
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
infile = *(++argv);
|
infile = *(++argv);
|
||||||
if (!(infp = fopen(infile, "rb"))) {
|
} else if (!strcmp(*argv, "-tlcp_server")) {
|
||||||
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, infile, strerror(errno));
|
if (chain_type) {
|
||||||
|
fprintf(stderr, "%s: chain type option conflicts\n", prog);
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
} else if (!strcmp(*argv, "-double_certs")) {
|
chain_type = TLS_cert_chain_tlcp_server;
|
||||||
double_certs = 1;
|
} else if (!strcmp(*argv, "-server")) {
|
||||||
} else if (!strcmp(*argv, "-check_crl")) {
|
if (chain_type) {
|
||||||
check_crl = 1;
|
fprintf(stderr, "%s: chain type option conflicts\n", prog);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
chain_type = TLS_cert_chain_server;
|
||||||
|
} else if (!strcmp(*argv, "-client")) {
|
||||||
|
if (chain_type) {
|
||||||
|
fprintf(stderr, "%s: chain type option conflicts\n", prog);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
chain_type = TLS_cert_chain_client;
|
||||||
} else if (!strcmp(*argv, "-cacert")) {
|
} else if (!strcmp(*argv, "-cacert")) {
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
cacertfile = *(++argv);
|
cacertfile = *(++argv);
|
||||||
if (!(cacertfp = fopen(cacertfile, "rb"))) {
|
} else if (!strcmp(*argv, "-crl")) {
|
||||||
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno));
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
} else if (!strcmp(*argv, "-sm2_id")) {
|
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
str = *(++argv);
|
crlfile = *(++argv);
|
||||||
if (strlen(str) > sizeof(signer_id) - 1) {
|
} else if (!strcmp(*argv, "-ocsp")) {
|
||||||
fprintf(stderr, "%s: invalid `-sm2_id` length\n", prog);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
strncpy(signer_id, str, sizeof(signer_id));
|
|
||||||
signer_id_len = strlen(str);
|
|
||||||
} else if (!strcmp(*argv, "-sm2_id_hex")) {
|
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
str = *(++argv);
|
ocspfile = *(++argv);
|
||||||
if (strlen(str) > (sizeof(signer_id) - 1) * 2) {
|
} else if (!strcmp(*argv, "-hostname")) {
|
||||||
fprintf(stderr, "%s: invalid `-sm2_id_hex` length\n", prog);
|
if (--argc < 1) goto bad;
|
||||||
goto end;
|
hostname = *(++argv);
|
||||||
}
|
if (!strlen(hostname) || strchr(hostname, '\r') || strchr(hostname, '\n')) {
|
||||||
if (hex_to_bytes(str, strlen(str), (uint8_t *)signer_id, &signer_id_len) != 1) {
|
fprintf(stderr, "%s: invalid '-hostname' value\n", prog);
|
||||||
fprintf(stderr, "%s: invalid `-sm2_id_hex` value\n", prog);
|
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@@ -144,7 +180,6 @@ bad:
|
|||||||
argv++;
|
argv++;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if (!infile) {
|
if (!infile) {
|
||||||
fprintf(stderr, "%s: '-in' option required\n", prog);
|
fprintf(stderr, "%s: '-in' option required\n", prog);
|
||||||
goto end;
|
goto end;
|
||||||
@@ -153,160 +188,83 @@ bad:
|
|||||||
fprintf(stderr, "%s: '-cacert' option required\n", prog);
|
fprintf(stderr, "%s: '-cacert' option required\n", prog);
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
if (!signer_id_len) {
|
if (hostname && chain_type == TLS_cert_chain_client) {
|
||||||
strcpy(signer_id, SM2_DEFAULT_ID);
|
fprintf(stderr, "%s: '-hostname' only allowed with '-tlcp_server' or '-server'\n", prog);
|
||||||
signer_id_len = strlen(SM2_DEFAULT_ID);
|
|
||||||
}
|
|
||||||
|
|
||||||
// read first to be verified certificate
|
|
||||||
if (x509_cert_from_pem(cert, &certlen, sizeof(cert), infp) != 1
|
|
||||||
|| x509_cert_get_issuer_and_serial_number(cert, certlen,
|
|
||||||
&issuer, &issuer_len, &serial, &serial_len) != 1
|
|
||||||
|| x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) {
|
|
||||||
fprintf(stderr, "%s: read certificate failure\n", prog);
|
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
format_print(stdout, 0, 0, "Certificate\n");
|
if (x509_certs_new_from_file(&certs, &certslen, infile) != 1) {
|
||||||
format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
|
fprintf(stderr, "%s: load '%s' failed\n", prog, infile);
|
||||||
x509_name_print(stdout, 0, 4, "subject", subject, subject_len);
|
|
||||||
|
|
||||||
// read encryption cert in double certs
|
|
||||||
if (double_certs) {
|
|
||||||
if (x509_cert_from_pem(enc_cert, &enc_cert_len, sizeof(enc_cert), infp) != 1
|
|
||||||
|| x509_cert_get_issuer_and_serial_number(enc_cert, enc_cert_len,
|
|
||||||
&enc_issuer, &enc_issuer_len, &enc_serial, &enc_serial_len) != 1
|
|
||||||
|| x509_cert_get_subject(enc_cert, enc_cert_len, &enc_subject, &enc_subject_len) != 1) {
|
|
||||||
fprintf(stderr, "%s: read encryption certficate failure\n", prog);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
if (x509_name_equ(enc_subject, enc_subject_len, subject, subject_len) != 1
|
|
||||||
|| x509_name_equ(enc_issuer, enc_issuer_len, issuer, issuer_len) != 1) {
|
|
||||||
fprintf(stderr, "%s: double certificates not compatible\n", prog);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
for (;;) {
|
|
||||||
if ((rv = x509_cert_from_pem(cacert, &cacertlen, sizeof(cacert), infp)) != 1) {
|
|
||||||
if (rv < 0) goto end;
|
|
||||||
goto final;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen,
|
|
||||||
signer_id, signer_id_len)) != 1) {
|
|
||||||
fprintf(stderr, "%s: Verification failure\n", prog);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
format_print(stdout, 0, 4, "Verification success\n");
|
|
||||||
|
|
||||||
if (check_crl) {
|
|
||||||
if ((crl_ret = x509_cert_check_crl(cert, certlen, cacert, cacertlen,
|
|
||||||
signer_id, signer_id_len)) < 0) {
|
|
||||||
fprintf(stderr, "%s: Certificate has been revoked\n", prog);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
format_print(stdout, 0, 4, "Revocation status: %s\n",
|
|
||||||
crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (double_certs) {
|
|
||||||
if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen,
|
|
||||||
signer_id, signer_id_len)) < 0) {
|
|
||||||
fprintf(stderr, "%s: Verification failure\n", prog);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
format_print(stdout, 0, 0, "Certificate\n");
|
|
||||||
format_bytes(stdout, 0, 4, "serialNumber", enc_serial, enc_serial_len);
|
|
||||||
x509_name_print(stdout, 0, 4, "subject", enc_subject, enc_subject_len);
|
|
||||||
format_print(stdout, 0, 4, "Verification success\n");
|
|
||||||
if (check_crl) {
|
|
||||||
if ((crl_ret = x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen,
|
|
||||||
signer_id, signer_id_len)) < 0) {
|
|
||||||
fprintf(stderr, "%s: Certificate has been revoked\n", prog);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
format_print(stdout, 0, 4, "Revocation status: %s\n",
|
|
||||||
crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
|
|
||||||
}
|
|
||||||
double_certs = 0;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
// NOTE: make sure the buffer (issuer, issuer_len) not crashed
|
|
||||||
memcpy(cert, cacert, cacertlen);
|
|
||||||
certlen = cacertlen;
|
|
||||||
if (x509_cert_get_issuer_and_serial_number(cert, certlen,
|
|
||||||
&issuer, &issuer_len, &serial, &serial_len) != 1
|
|
||||||
|| x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) {
|
|
||||||
error_print();
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
format_print(stdout, 0, 0, "Signed by Certificate\n");
|
|
||||||
format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
|
|
||||||
x509_name_print(stdout, 0, 4, "Certificate", subject, subject_len);
|
|
||||||
|
|
||||||
check_crl = 0; // only check the entity CRL
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
final:
|
|
||||||
if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), issuer, issuer_len, cacertfp) != 1) {
|
|
||||||
fprintf(stderr, "%s: load CA certificate failure\n", prog);
|
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen,
|
if (x509_certs_new_from_file(&cacerts, &cacertslen, cacertfile) != 1) {
|
||||||
signer_id, signer_id_len)) < 0) {
|
fprintf(stderr, "%s: load '%s' failed\n", prog, cacertfile);
|
||||||
fprintf(stderr, "%s: inner error\n", prog);
|
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
format_print(stdout, 0, 4, "Verification success\n");
|
if (crlfile) {
|
||||||
|
if (file_read_all(crlfile, &crl, &crl_len) != 1) {
|
||||||
if (check_crl) {
|
fprintf(stderr, "%s: load '%s' failed\n", prog, crlfile);
|
||||||
if ((crl_ret = x509_cert_check_crl(cert, certlen, cacert, cacertlen,
|
|
||||||
signer_id, signer_id_len)) < 0) {
|
|
||||||
fprintf(stderr, "%s: certificate has been revoked\n", prog);
|
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
format_print(stdout, 0, 4, "Revocation status: %s\n",
|
|
||||||
crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
|
|
||||||
}
|
}
|
||||||
|
if (ocspfile) {
|
||||||
if (double_certs) {
|
if (file_read_all(ocspfile, &ocsp, &ocsp_len) != 1) {
|
||||||
if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen,
|
fprintf(stderr, "%s: load '%s' failed\n", prog, ocspfile);
|
||||||
signer_id, signer_id_len)) < 0) {
|
|
||||||
fprintf(stderr, "%s: inner error\n", prog);
|
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
format_print(stdout, 0, 0, "Certificate\n");
|
|
||||||
format_bytes(stdout, 0, 4, "serialNumber", enc_serial, enc_serial_len);
|
|
||||||
x509_name_print(stdout, 0, 4, "subject", enc_subject, enc_subject_len);
|
|
||||||
format_print(stdout, 0, 4, "Verification success\n");
|
|
||||||
|
|
||||||
if (check_crl) {
|
|
||||||
if ((crl_ret = x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen,
|
|
||||||
signer_id, signer_id_len)) < 0) {
|
|
||||||
fprintf(stderr, "%s: certificate has been revoked\n", prog);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
format_print(stdout, 0, 4, "Revocation status: %s\n",
|
|
||||||
crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (x509_cert_get_issuer_and_serial_number(cacert, cacertlen, NULL, NULL, &serial, &serial_len) != 1
|
switch (chain_type) {
|
||||||
|| x509_cert_get_subject(cacert, cacertlen, &subject, &subject_len) != 1) {
|
case TLS_cert_chain_tlcp_server:
|
||||||
fprintf(stderr, "%s: parse certificate error\n", prog);
|
if (x509_certs_verify_tlcp(certs, certslen, X509_cert_chain_server,
|
||||||
|
cacerts, cacertslen, crl, crl_len, ocsp, ocsp_len,
|
||||||
|
X509_MAX_VERIFY_DEPTH, &verify_result) != 1) {
|
||||||
|
fprintf(stderr, "%s: Vcerification failure: %s\n", prog, verify_result_name(verify_result));
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case TLS_cert_chain_server:
|
||||||
|
if (x509_certs_verify(certs, certslen, X509_cert_chain_server,
|
||||||
|
cacerts, cacertslen, crl, crl_len, ocsp, ocsp_len,
|
||||||
|
X509_MAX_VERIFY_DEPTH, &verify_result) != 1) {
|
||||||
|
fprintf(stderr, "%s: Verification failure: %s\n", prog, verify_result_name(verify_result));
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case TLS_cert_chain_client:
|
||||||
|
if (x509_certs_verify(certs, certslen, X509_cert_chain_client,
|
||||||
|
cacerts, cacertslen, crl, crl_len, ocsp, ocsp_len,
|
||||||
|
X509_MAX_VERIFY_DEPTH, &verify_result) != 1) {
|
||||||
|
fprintf(stderr, "%s: Verification failure: %s\n", prog, verify_result_name(verify_result));
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
error_print();
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
format_print(stdout, 0, 0, "Signed by Certificate\n");
|
|
||||||
format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
|
|
||||||
x509_name_print(stdout, 0, 4, "subject", subject, subject_len);
|
|
||||||
|
|
||||||
printf("\n");
|
|
||||||
|
|
||||||
|
if (hostname) {
|
||||||
|
if (x509_certs_get_cert_by_index(certs, certslen, 0, &cert, &certlen) != 1) {
|
||||||
|
fprintf(stderr, "%s: read entity certificate failure\n", prog);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
if ((rv = cert_match_server_name_normalized(cert, certlen, hostname)) < 0) {
|
||||||
|
fprintf(stderr, "%s: hostname verification error\n", prog);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
if (rv == 0) {
|
||||||
|
fprintf(stderr, "%s: Verification failure: %s\n", prog, verify_result_name(X509_verify_err_hostname));
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("Verification success\n");
|
||||||
ret = 0;
|
ret = 0;
|
||||||
end:
|
end:
|
||||||
if (infile && infp) fclose(infp);
|
if (certs) free(certs);
|
||||||
if (cacertfp) fclose(cacertfp);
|
if (cacerts) free(cacerts);
|
||||||
|
if (crl) free(crl);
|
||||||
|
if (ocsp) free(ocsp);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user