Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not

a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl. ok deraadt@ miod@
author: jsing <> 2014-08-26 17:47:25 +0000
committer: jsing <> 2014-08-26 17:47:25 +0000
commit: f3755acd5513f85ff734de6a822b6f804d3776ce (patch)
tree: 1f859a78eae941040f58599de8c0e1e56d61fdad /src/usr.bin/openssl/verify.c
parent: 0779b9f30aa9875c290af18a4362799668829707 (diff)
download: openbsd-f3755acd5513f85ff734de6a822b6f804d3776ce.tar.gz
openbsd-f3755acd5513f85ff734de6a822b6f804d3776ce.tar.bz2
openbsd-f3755acd5513f85ff734de6a822b6f804d3776ce.zip
1 files changed, 339 insertions, 0 deletions
diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
new file mode 100644
index 0000000000..057c467372
--- /dev/null
+++ b/src/usr.bin/openssl/verify.c
@@ -0,0 +1,339 @@
+/* $OpenBSD: verify.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+static int cb(int ok, X509_STORE_CTX * ctx);
+static int check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
+    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e);
+static int v_verbose = 0, vflags = 0;
+int verify_main(int, char **);
+int
+verify_main(int argc, char **argv)
+{
+        ENGINE *e = NULL;
+        int i, ret = 1, badarg = 0;
+        char *CApath = NULL, *CAfile = NULL;
+        char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
+        STACK_OF(X509) * untrusted = NULL, *trusted = NULL;
+        STACK_OF(X509_CRL) * crls = NULL;
+        X509_STORE *cert_ctx = NULL;
+        X509_LOOKUP *lookup = NULL;
+        X509_VERIFY_PARAM *vpm = NULL;
+#ifndef OPENSSL_NO_ENGINE
+        char *engine = NULL;
+#endif
+        cert_ctx = X509_STORE_new();
+        if (cert_ctx == NULL)
+                goto end;
+        X509_STORE_set_verify_cb(cert_ctx, cb);
+        ERR_load_crypto_strings();
+        argc--;
+        argv++;
+        for (;;) {
+                if (argc >= 1) {
+                        if (strcmp(*argv, "-CApath") == 0) {
+                                if (argc-- < 1)
+                                        goto end;
+                                CApath = *(++argv);
+                        } else if (strcmp(*argv, "-CAfile") == 0) {
+                                if (argc-- < 1)
+                                        goto end;
+                                CAfile = *(++argv);
+                        } else if (args_verify(&argv, &argc, &badarg, bio_err,
+                            &vpm)) {
+                                if (badarg)
+                                        goto end;
+                                continue;
+                        } else if (strcmp(*argv, "-untrusted") == 0) {
+                                if (argc-- < 1)
+                                        goto end;
+                                untfile = *(++argv);
+                        } else if (strcmp(*argv, "-trusted") == 0) {
+                                if (argc-- < 1)
+                                        goto end;
+                                trustfile = *(++argv);
+                        } else if (strcmp(*argv, "-CRLfile") == 0) {
+                                if (argc-- < 1)
+                                        goto end;
+                                crlfile = *(++argv);
+                        }
+#ifndef OPENSSL_NO_ENGINE
+                        else if (strcmp(*argv, "-engine") == 0) {
+                                if (--argc < 1)
+                                        goto end;
+                                engine = *(++argv);
+                        }
+#endif
+                        else if (strcmp(*argv, "-help") == 0)
+                                goto end;
+                        else if (strcmp(*argv, "-verbose") == 0)
+                                v_verbose = 1;
+                        else if (argv[0][0] == '-')
+                                goto end;
+                        else
+                                break;
+                        argc--;
+                        argv++;
+                } else
+                        break;
+        }
+#ifndef OPENSSL_NO_ENGINE
+        e = setup_engine(bio_err, engine, 0);
+#endif
+        if (vpm)
+                X509_STORE_set1_param(cert_ctx, vpm);
+        lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
+        if (lookup == NULL)
+                abort();
+        if (CAfile) {
+                i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM);
+                if (!i) {
+                        BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+        } else
+                X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
+        lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
+        if (lookup == NULL)
+                abort();
+        if (CApath) {
+                i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
+                if (!i) {
+                        BIO_printf(bio_err, "Error loading directory %s\n", CApath);
+                        ERR_print_errors(bio_err);
+                        goto end;
+                }
+        } else
+                X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+        ERR_clear_error();
+        if (untfile) {
+                untrusted = load_certs(bio_err, untfile, FORMAT_PEM,
+                    NULL, e, "untrusted certificates");
+                if (!untrusted)
+                        goto end;
+        }
+        if (trustfile) {
+                trusted = load_certs(bio_err, trustfile, FORMAT_PEM,
+                    NULL, e, "trusted certificates");
+                if (!trusted)
+                        goto end;
+        }
+        if (crlfile) {
+                crls = load_crls(bio_err, crlfile, FORMAT_PEM,
+                    NULL, e, "other CRLs");
+                if (!crls)
+                        goto end;
+        }
+        ret = 0;
+        if (argc < 1) {
+                if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+                        ret = -1;
+        } else {
+                for (i = 0; i < argc; i++)
+                        if (1 != check(cert_ctx, argv[i], untrusted, trusted,
+                            crls, e))
+                                ret = -1;
+        }
+end:
+        if (ret == 1) {
+                BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+                BIO_printf(bio_err, " [-attime timestamp]");
+#ifndef OPENSSL_NO_ENGINE
+                BIO_printf(bio_err, " [-engine e]");
+#endif
+                BIO_printf(bio_err, " cert1 cert2 ...\n");
+                BIO_printf(bio_err, "recognized usages:\n");
+                for (i = 0; i < X509_PURPOSE_get_count(); i++) {
+                        X509_PURPOSE *ptmp;
+                        ptmp = X509_PURPOSE_get0(i);
+                        BIO_printf(bio_err, "\t%-10s\t%s\n",
+                            X509_PURPOSE_get0_sname(ptmp),
+                            X509_PURPOSE_get0_name(ptmp));
+                }
+        }
+        if (vpm)
+                X509_VERIFY_PARAM_free(vpm);
+        if (cert_ctx != NULL)
+                X509_STORE_free(cert_ctx);
+        sk_X509_pop_free(untrusted, X509_free);
+        sk_X509_pop_free(trusted, X509_free);
+        sk_X509_CRL_pop_free(crls, X509_CRL_free);
+        return (ret < 0 ? 2 : ret);
+}
+static int
+check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
+    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e)
+{
+        X509 *x = NULL;
+        int i = 0, ret = 0;
+        X509_STORE_CTX *csc;
+        x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
+        if (x == NULL)
+                goto end;
+        fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
+        csc = X509_STORE_CTX_new();
+        if (csc == NULL) {
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+        X509_STORE_set_flags(ctx, vflags);
+        if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
+                ERR_print_errors(bio_err);
+                goto end;
+        }
+        if (tchain)
+                X509_STORE_CTX_trusted_stack(csc, tchain);
+        if (crls)
+                X509_STORE_CTX_set0_crls(csc, crls);
+        i = X509_verify_cert(csc);
+        X509_STORE_CTX_free(csc);
+        ret = 0;
+end:
+        if (i > 0) {
+                fprintf(stdout, "OK\n");
+                ret = 1;
+        } else
+                ERR_print_errors(bio_err);
+        if (x != NULL)
+                X509_free(x);
+        return (ret);
+}
+static int
+cb(int ok, X509_STORE_CTX * ctx)
+{
+        int cert_error = X509_STORE_CTX_get_error(ctx);
+        X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
+        if (!ok) {
+                if (current_cert) {
+                        X509_NAME_print_ex_fp(stdout,
+                            X509_get_subject_name(current_cert),
+                            0, XN_FLAG_ONELINE);
+                        printf("\n");
+                }
+                printf("%serror %d at %d depth lookup:%s\n",
+                    X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
+                    cert_error,
+                    X509_STORE_CTX_get_error_depth(ctx),
+                    X509_verify_cert_error_string(cert_error));
+                switch (cert_error) {
+                case X509_V_ERR_NO_EXPLICIT_POLICY:
+                        policies_print(NULL, ctx);
+                case X509_V_ERR_CERT_HAS_EXPIRED:
+                        /*
+                         * since we are just checking the certificates, it is
+                         * ok if they are self signed. But we should still
+                         * warn the user.
+                         */
+                case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+                        /* Continue after extension errors too */
+                case X509_V_ERR_INVALID_CA:
+                case X509_V_ERR_INVALID_NON_CA:
+                case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+                case X509_V_ERR_INVALID_PURPOSE:
+                case X509_V_ERR_CRL_HAS_EXPIRED:
+                case X509_V_ERR_CRL_NOT_YET_VALID:
+                case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
+                        ok = 1;
+                }
+                return ok;
+        }
+        if (cert_error == X509_V_OK && ok == 2)
+                policies_print(NULL, ctx);
+        if (!v_verbose)
+                ERR_clear_error();
+        return (ok);
+}
author	jsing <>	2014-08-26 17:47:25 +0000
committer	jsing <>	2014-08-26 17:47:25 +0000
commit	f3755acd5513f85ff734de6a822b6f804d3776ce (patch)
tree	1f859a78eae941040f58599de8c0e1e56d61fdad /src/usr.bin/openssl/verify.c
parent	0779b9f30aa9875c290af18a4362799668829707 (diff)
download	openbsd-f3755acd5513f85ff734de6a822b6f804d3776ce.tar.gz openbsd-f3755acd5513f85ff734de6a822b6f804d3776ce.tar.bz2 openbsd-f3755acd5513f85ff734de6a822b6f804d3776ce.zip

diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c new file mode 100644 index 0000000000..057c467372 --- /dev/null +++ b/src/usr.bin/openssl/verify.c
@@ -0,0 +1,339 @@
	1	/* $OpenBSD: verify.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
	3	* All rights reserved.
	4	*
	5	* This package is an SSL implementation written
	6	* by Eric Young (eay@cryptsoft.com).
	7	* The implementation was written so as to conform with Netscapes SSL.
	8	*
	9	* This library is free for commercial and non-commercial use as long as
	10	* the following conditions are aheared to. The following conditions
	11	* apply to all code found in this distribution, be it the RC4, RSA,
	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
	13	* included with this distribution is covered by the same copyright terms
	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
	15	*
	16	* Copyright remains Eric Young's, and as such any Copyright notices in
	17	* the code are not to be removed.
	18	* If this package is used in a product, Eric Young should be given attribution
	19	* as the author of the parts of the library used.
	20	* This can be in the form of a textual message at program startup or
	21	* in documentation (online or textual) provided with the package.
	22	*
	23	* Redistribution and use in source and binary forms, with or without
	24	* modification, are permitted provided that the following conditions
	25	* are met:
	26	* 1. Redistributions of source code must retain the copyright
	27	* notice, this list of conditions and the following disclaimer.
	28	* 2. Redistributions in binary form must reproduce the above copyright
	29	* notice, this list of conditions and the following disclaimer in the
	30	* documentation and/or other materials provided with the distribution.
	31	* 3. All advertising materials mentioning features or use of this software
	32	* must display the following acknowledgement:
	33	* "This product includes cryptographic software written by
	34	* Eric Young (eay@cryptsoft.com)"
	35	* The word 'cryptographic' can be left out if the rouines from the library
	36	* being used are not cryptographic related :-).
	37	* 4. If you include any Windows specific code (or a derivative thereof) from
	38	* the apps directory (application code) you must include an acknowledgement:
	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
	40	*
	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	51	* SUCH DAMAGE.
	52	*
	53	* The licence and distribution terms for any publically available version or
	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
	55	* copied and put under another distribution licence
	56	* [including the GNU Public Licence.]
	57	*/
	58
	59	#include <stdio.h>
	60	#include <stdlib.h>
	61	#include <string.h>
	62
	63	#include "apps.h"
	64
	65	#include <openssl/bio.h>
	66	#include <openssl/err.h>
	67	#include <openssl/pem.h>
	68	#include <openssl/x509.h>
	69	#include <openssl/x509v3.h>
	70
	71	static int cb(int ok, X509_STORE_CTX * ctx);
	72	static int check(X509_STORE * ctx, char file, STACK_OF(X509) uchain,
	73	STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e);
	74	static int v_verbose = 0, vflags = 0;
	75
	76	int verify_main(int, char **);
	77
	78	int
	79	verify_main(int argc, char **argv)
	80	{
	81	ENGINE *e = NULL;
	82	int i, ret = 1, badarg = 0;
	83	char CApath = NULL, CAfile = NULL;
	84	char untfile = NULL, trustfile = NULL, *crlfile = NULL;
	85	STACK_OF(X509) * untrusted = NULL, *trusted = NULL;
	86	STACK_OF(X509_CRL) * crls = NULL;
	87	X509_STORE *cert_ctx = NULL;
	88	X509_LOOKUP *lookup = NULL;
	89	X509_VERIFY_PARAM *vpm = NULL;
	90	#ifndef OPENSSL_NO_ENGINE
	91	char *engine = NULL;
	92	#endif
	93
	94	cert_ctx = X509_STORE_new();
	95	if (cert_ctx == NULL)
	96	goto end;
	97	X509_STORE_set_verify_cb(cert_ctx, cb);
	98
	99	ERR_load_crypto_strings();
	100
	101	argc--;
	102	argv++;
	103	for (;;) {
	104	if (argc >= 1) {
	105	if (strcmp(*argv, "-CApath") == 0) {
	106	if (argc-- < 1)
	107	goto end;
	108	CApath = *(++argv);
	109	} else if (strcmp(*argv, "-CAfile") == 0) {
	110	if (argc-- < 1)
	111	goto end;
	112	CAfile = *(++argv);
	113	} else if (args_verify(&argv, &argc, &badarg, bio_err,
	114	&vpm)) {
	115	if (badarg)
	116	goto end;
	117	continue;
	118	} else if (strcmp(*argv, "-untrusted") == 0) {
	119	if (argc-- < 1)
	120	goto end;
	121	untfile = *(++argv);
	122	} else if (strcmp(*argv, "-trusted") == 0) {
	123	if (argc-- < 1)
	124	goto end;
	125	trustfile = *(++argv);
	126	} else if (strcmp(*argv, "-CRLfile") == 0) {
	127	if (argc-- < 1)
	128	goto end;
	129	crlfile = *(++argv);
	130	}
	131	#ifndef OPENSSL_NO_ENGINE
	132	else if (strcmp(*argv, "-engine") == 0) {
	133	if (--argc < 1)
	134	goto end;
	135	engine = *(++argv);
	136	}
	137	#endif
	138	else if (strcmp(*argv, "-help") == 0)
	139	goto end;
	140	else if (strcmp(*argv, "-verbose") == 0)
	141	v_verbose = 1;
	142	else if (argv[0][0] == '-')
	143	goto end;
	144	else
	145	break;
	146	argc--;
	147	argv++;
	148	} else
	149	break;
	150	}
	151
	152	#ifndef OPENSSL_NO_ENGINE
	153	e = setup_engine(bio_err, engine, 0);
	154	#endif
	155
	156	if (vpm)
	157	X509_STORE_set1_param(cert_ctx, vpm);
	158
	159	lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
	160	if (lookup == NULL)
	161	abort();
	162	if (CAfile) {
	163	i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM);
	164	if (!i) {
	165	BIO_printf(bio_err, "Error loading file %s\n", CAfile);
	166	ERR_print_errors(bio_err);
	167	goto end;
	168	}
	169	} else
	170	X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
	171
	172	lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
	173	if (lookup == NULL)
	174	abort();
	175	if (CApath) {
	176	i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
	177	if (!i) {
	178	BIO_printf(bio_err, "Error loading directory %s\n", CApath);
	179	ERR_print_errors(bio_err);
	180	goto end;
	181	}
	182	} else
	183	X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
	184
	185	ERR_clear_error();
	186
	187	if (untfile) {
	188	untrusted = load_certs(bio_err, untfile, FORMAT_PEM,
	189	NULL, e, "untrusted certificates");
	190	if (!untrusted)
	191	goto end;
	192	}
	193	if (trustfile) {
	194	trusted = load_certs(bio_err, trustfile, FORMAT_PEM,
	195	NULL, e, "trusted certificates");
	196	if (!trusted)
	197	goto end;
	198	}
	199	if (crlfile) {
	200	crls = load_crls(bio_err, crlfile, FORMAT_PEM,
	201	NULL, e, "other CRLs");
	202	if (!crls)
	203	goto end;
	204	}
	205	ret = 0;
	206	if (argc < 1) {
	207	if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
	208	ret = -1;
	209	} else {
	210	for (i = 0; i < argc; i++)
	211	if (1 != check(cert_ctx, argv[i], untrusted, trusted,
	212	crls, e))
	213	ret = -1;
	214	}
	215
	216	end:
	217	if (ret == 1) {
	218	BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
	219	BIO_printf(bio_err, " [-attime timestamp]");
	220	#ifndef OPENSSL_NO_ENGINE
	221	BIO_printf(bio_err, " [-engine e]");
	222	#endif
	223	BIO_printf(bio_err, " cert1 cert2 ...\n");
	224
	225	BIO_printf(bio_err, "recognized usages:\n");
	226	for (i = 0; i < X509_PURPOSE_get_count(); i++) {
	227	X509_PURPOSE *ptmp;
	228	ptmp = X509_PURPOSE_get0(i);
	229	BIO_printf(bio_err, "\t%-10s\t%s\n",
	230	X509_PURPOSE_get0_sname(ptmp),
	231	X509_PURPOSE_get0_name(ptmp));
	232	}
	233	}
	234	if (vpm)
	235	X509_VERIFY_PARAM_free(vpm);
	236	if (cert_ctx != NULL)
	237	X509_STORE_free(cert_ctx);
	238	sk_X509_pop_free(untrusted, X509_free);
	239	sk_X509_pop_free(trusted, X509_free);
	240	sk_X509_CRL_pop_free(crls, X509_CRL_free);
	241
	242	return (ret < 0 ? 2 : ret);
	243	}
	244
	245	static int
	246	check(X509_STORE * ctx, char file, STACK_OF(X509) uchain,
	247	STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e)
	248	{
	249	X509 *x = NULL;
	250	int i = 0, ret = 0;
	251	X509_STORE_CTX *csc;
	252
	253	x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
	254	if (x == NULL)
	255	goto end;
	256	fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
	257
	258	csc = X509_STORE_CTX_new();
	259	if (csc == NULL) {
	260	ERR_print_errors(bio_err);
	261	goto end;
	262	}
	263	X509_STORE_set_flags(ctx, vflags);
	264	if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
	265	ERR_print_errors(bio_err);
	266	goto end;
	267	}
	268	if (tchain)
	269	X509_STORE_CTX_trusted_stack(csc, tchain);
	270	if (crls)
	271	X509_STORE_CTX_set0_crls(csc, crls);
	272	i = X509_verify_cert(csc);
	273	X509_STORE_CTX_free(csc);
	274
	275	ret = 0;
	276
	277	end:
	278	if (i > 0) {
	279	fprintf(stdout, "OK\n");
	280	ret = 1;
	281	} else
	282	ERR_print_errors(bio_err);
	283	if (x != NULL)
	284	X509_free(x);
	285
	286	return (ret);
	287	}
	288
	289	static int
	290	cb(int ok, X509_STORE_CTX * ctx)
	291	{
	292	int cert_error = X509_STORE_CTX_get_error(ctx);
	293	X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
	294
	295	if (!ok) {
	296	if (current_cert) {
	297	X509_NAME_print_ex_fp(stdout,
	298	X509_get_subject_name(current_cert),
	299	0, XN_FLAG_ONELINE);
	300	printf("\n");
	301	}
	302	printf("%serror %d at %d depth lookup:%s\n",
	303	X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
	304	cert_error,
	305	X509_STORE_CTX_get_error_depth(ctx),
	306	X509_verify_cert_error_string(cert_error));
	307	switch (cert_error) {
	308	case X509_V_ERR_NO_EXPLICIT_POLICY:
	309	policies_print(NULL, ctx);
	310	case X509_V_ERR_CERT_HAS_EXPIRED:
	311
	312	/*
	313	* since we are just checking the certificates, it is
	314	* ok if they are self signed. But we should still
	315	* warn the user.
	316	*/
	317
	318	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
	319	/* Continue after extension errors too */
	320	case X509_V_ERR_INVALID_CA:
	321	case X509_V_ERR_INVALID_NON_CA:
	322	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
	323	case X509_V_ERR_INVALID_PURPOSE:
	324	case X509_V_ERR_CRL_HAS_EXPIRED:
	325	case X509_V_ERR_CRL_NOT_YET_VALID:
	326	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
	327	ok = 1;
	328
	329	}
	330
	331	return ok;
	332
	333	}
	334	if (cert_error == X509_V_OK && ok == 2)
	335	policies_print(NULL, ctx);
	336	if (!v_verbose)
	337	ERR_clear_error();
	338	return (ok);
	339	}