Add a check that libressl is actually able to verify CA certs.

Skip outputting them if invalid (e.g. GENERALIZEDTIME date before 2050).

1 files changed, 28 insertions, 12 deletions

diff --git a/src/lib/libcrypto/format-pem.pl b/src/lib/libcrypto/format-pem.pl
index 556178eb30..6134d656b7 100644
--- a/src/lib/libcrypto/format-pem.pl
+++ b/src/lib/libcrypto/format-pem.pl
@@ -1,5 +1,5 @@
 #!/usr/bin/perl
-# $OpenBSD: format-pem.pl,v 1.2 2018/03/21 15:23:53 sthen Exp $
+# $OpenBSD: format-pem.pl,v 1.3 2018/12/16 11:56:53 sthen Exp $
 #
 # Copyright (c) 2016 Stuart Henderson <sthen@openbsd.org>
 #
@@ -46,9 +46,6 @@ while(<>) {
                 my $subj = `openssl x509 -in $t -noout -subject`;
                 $subj =~ s/^subject= (.*)\n/$1/;
 
-                print STDERR "'$subj' not self-signed"
-                        if ($issuer ne $subj);
-
                 my $o = `openssl x509 -in $t -noout -nameopt sep_multiline,use_quote,esc_msb -subject`;
                 if ($o =~ /O=/) {
                         $o =~ s/.*O=([^\n]*).*/$1/sm;
@@ -56,6 +53,18 @@ while(<>) {
                         $o = $subj;
                 }
 
+                if (defined $ca{$o}{$subj}) {
+                        print STDERR "ERROR: '$subj': duplicate\n";
+                        $ca{$o}{$subj}{'valid'} = 0;
+                }
+
+                $ca{$o}{$subj}{'valid'} = 1;
+
+                if ($issuer ne $subj) {
+                        print STDERR "ERROR: '$subj' not self-signed";
+                        $ca{$o}{$subj}{'valid'} = 0;
+                }
+
                 if (eval {require Date::Parse;1;}) {
                         my $startdate = `openssl x509 -in $t -startdate -noout`;
                         my $enddate = `openssl x509 -in $t -enddate -noout`;
@@ -65,12 +74,14 @@ while(<>) {
                         my $endtime = str2time($enddate);
 
                         if ($starttime > time) {
-                                print STDERR "'$subj' not valid yet\n"
+                                print STDERR "ERROR: '$subj' not valid yet\n";
+                                $ca{$o}{$subj}{'valid'} = 0;
                         }
                         if ($endtime < time) {
-                                print STDERR "'$subj' expired on $startdate\n"
+                                print STDERR "ERROR: '$subj' expired on $startdate\n";
+                                $ca{$o}{$subj}{'valid'} = 0;
                         } elsif ($endtime < time + 86400 * 365 * 2) {
-                                print STDERR "'$subj' expires on $enddate\n"
+                                print STDERR "WARNING: '$subj' expires on $enddate\n";
                         }
                 }
 
@@ -78,8 +89,10 @@ while(<>) {
                 $info .= qx/openssl x509 -in $t -fingerprint -sha256 -noout/;
                 my $cert = qx/openssl x509 -in $t/;
 
-                if (defined $ca{$o}{$subj}) {
-                        print STDERR "'$subj': duplicate\n";
+                my $verify = qx/openssl verify -CAfile $t $t 2>&1/;
+                if (not $verify =~ /^$t: OK$/) {
+                        print STDERR "ERROR: '$subj' cannot be verified with libressl\n---\n$verify---\n";
+                        $ca{$o}{$subj}{'valid'} = 0;
                 }
 
                 $ca{$o}{$subj}{'subj'} = $subj;
@@ -92,13 +105,16 @@ while(<>) {
 }
 
 close $tmp;
+chomp $rcsid;
 print $rcsid;
 foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
         print "\n### $o\n\n";
         foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
-                print "=== $subj\n";
-                print $ca{$o}{$subj}{'info'};
-                print $ca{$o}{$subj}{'cert'};
+                if ($ca{$o}{$subj}{'valid'} == 1) {
+                        print "=== $subj\n";
+                        print $ca{$o}{$subj}{'info'};
+                        print $ca{$o}{$subj}{'cert'};
+                }
         }
 }