1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci#include <stdio.h> 11e1051a39Sopenharmony_ci#include <stdlib.h> 12e1051a39Sopenharmony_ci#include <string.h> 13e1051a39Sopenharmony_ci#include "apps.h" 14e1051a39Sopenharmony_ci#include "progs.h" 15e1051a39Sopenharmony_ci#include <openssl/bio.h> 16e1051a39Sopenharmony_ci#include <openssl/err.h> 17e1051a39Sopenharmony_ci#include <openssl/x509.h> 18e1051a39Sopenharmony_ci#include <openssl/x509v3.h> 19e1051a39Sopenharmony_ci#include <openssl/pem.h> 20e1051a39Sopenharmony_ci 21e1051a39Sopenharmony_cistatic int cb(int ok, X509_STORE_CTX *ctx); 22e1051a39Sopenharmony_cistatic int check(X509_STORE *ctx, const char *file, 23e1051a39Sopenharmony_ci STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, 24e1051a39Sopenharmony_ci STACK_OF(X509_CRL) *crls, int show_chain, 25e1051a39Sopenharmony_ci STACK_OF(OPENSSL_STRING) *opts); 26e1051a39Sopenharmony_cistatic int v_verbose = 0, vflags = 0; 27e1051a39Sopenharmony_ci 28e1051a39Sopenharmony_citypedef enum OPTION_choice { 29e1051a39Sopenharmony_ci OPT_COMMON, 30e1051a39Sopenharmony_ci OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, 31e1051a39Sopenharmony_ci OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, 32e1051a39Sopenharmony_ci OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, 33e1051a39Sopenharmony_ci OPT_V_ENUM, OPT_NAMEOPT, OPT_VFYOPT, 34e1051a39Sopenharmony_ci OPT_VERBOSE, 35e1051a39Sopenharmony_ci OPT_PROV_ENUM 36e1051a39Sopenharmony_ci} OPTION_CHOICE; 37e1051a39Sopenharmony_ci 38e1051a39Sopenharmony_ciconst OPTIONS verify_options[] = { 39e1051a39Sopenharmony_ci {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"}, 40e1051a39Sopenharmony_ci 41e1051a39Sopenharmony_ci OPT_SECTION("General"), 42e1051a39Sopenharmony_ci {"help", OPT_HELP, '-', "Display this summary"}, 43e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_ENGINE 44e1051a39Sopenharmony_ci {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 45e1051a39Sopenharmony_ci#endif 46e1051a39Sopenharmony_ci {"verbose", OPT_VERBOSE, '-', 47e1051a39Sopenharmony_ci "Print extra information about the operations being performed."}, 48e1051a39Sopenharmony_ci {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, 49e1051a39Sopenharmony_ci 50e1051a39Sopenharmony_ci OPT_SECTION("Certificate chain"), 51e1051a39Sopenharmony_ci {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"}, 52e1051a39Sopenharmony_ci {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, 53e1051a39Sopenharmony_ci {"CApath", OPT_CAPATH, '/', "A directory of files with trusted certificates"}, 54e1051a39Sopenharmony_ci {"CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates"}, 55e1051a39Sopenharmony_ci {"no-CAfile", OPT_NOCAFILE, '-', 56e1051a39Sopenharmony_ci "Do not load the default trusted certificates file"}, 57e1051a39Sopenharmony_ci {"no-CApath", OPT_NOCAPATH, '-', 58e1051a39Sopenharmony_ci "Do not load trusted certificates from the default directory"}, 59e1051a39Sopenharmony_ci {"no-CAstore", OPT_NOCASTORE, '-', 60e1051a39Sopenharmony_ci "Do not load trusted certificates from the default certificates store"}, 61e1051a39Sopenharmony_ci {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"}, 62e1051a39Sopenharmony_ci {"CRLfile", OPT_CRLFILE, '<', 63e1051a39Sopenharmony_ci "File containing one or more CRL's (in PEM format) to load"}, 64e1051a39Sopenharmony_ci {"crl_download", OPT_CRL_DOWNLOAD, '-', 65e1051a39Sopenharmony_ci "Try downloading CRL information for certificates via their CDP entries"}, 66e1051a39Sopenharmony_ci {"show_chain", OPT_SHOW_CHAIN, '-', 67e1051a39Sopenharmony_ci "Display information about the certificate chain"}, 68e1051a39Sopenharmony_ci 69e1051a39Sopenharmony_ci OPT_V_OPTIONS, 70e1051a39Sopenharmony_ci {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"}, 71e1051a39Sopenharmony_ci 72e1051a39Sopenharmony_ci OPT_PROV_OPTIONS, 73e1051a39Sopenharmony_ci 74e1051a39Sopenharmony_ci OPT_PARAMETERS(), 75e1051a39Sopenharmony_ci {"cert", 0, 0, "Certificate(s) to verify (optional; stdin used otherwise)"}, 76e1051a39Sopenharmony_ci {NULL} 77e1051a39Sopenharmony_ci}; 78e1051a39Sopenharmony_ci 79e1051a39Sopenharmony_ciint verify_main(int argc, char **argv) 80e1051a39Sopenharmony_ci{ 81e1051a39Sopenharmony_ci ENGINE *e = NULL; 82e1051a39Sopenharmony_ci STACK_OF(X509) *untrusted = NULL, *trusted = NULL; 83e1051a39Sopenharmony_ci STACK_OF(X509_CRL) *crls = NULL; 84e1051a39Sopenharmony_ci STACK_OF(OPENSSL_STRING) *vfyopts = NULL; 85e1051a39Sopenharmony_ci X509_STORE *store = NULL; 86e1051a39Sopenharmony_ci X509_VERIFY_PARAM *vpm = NULL; 87e1051a39Sopenharmony_ci const char *prog, *CApath = NULL, *CAfile = NULL, *CAstore = NULL; 88e1051a39Sopenharmony_ci int noCApath = 0, noCAfile = 0, noCAstore = 0; 89e1051a39Sopenharmony_ci int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1; 90e1051a39Sopenharmony_ci OPTION_CHOICE o; 91e1051a39Sopenharmony_ci 92e1051a39Sopenharmony_ci if ((vpm = X509_VERIFY_PARAM_new()) == NULL) 93e1051a39Sopenharmony_ci goto end; 94e1051a39Sopenharmony_ci 95e1051a39Sopenharmony_ci prog = opt_init(argc, argv, verify_options); 96e1051a39Sopenharmony_ci while ((o = opt_next()) != OPT_EOF) { 97e1051a39Sopenharmony_ci switch (o) { 98e1051a39Sopenharmony_ci case OPT_EOF: 99e1051a39Sopenharmony_ci case OPT_ERR: 100e1051a39Sopenharmony_ci opthelp: 101e1051a39Sopenharmony_ci BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 102e1051a39Sopenharmony_ci goto end; 103e1051a39Sopenharmony_ci case OPT_HELP: 104e1051a39Sopenharmony_ci opt_help(verify_options); 105e1051a39Sopenharmony_ci BIO_printf(bio_err, "\nRecognized certificate chain purposes:\n"); 106e1051a39Sopenharmony_ci for (i = 0; i < X509_PURPOSE_get_count(); i++) { 107e1051a39Sopenharmony_ci X509_PURPOSE *ptmp = X509_PURPOSE_get0(i); 108e1051a39Sopenharmony_ci 109e1051a39Sopenharmony_ci BIO_printf(bio_err, " %-15s %s\n", 110e1051a39Sopenharmony_ci X509_PURPOSE_get0_sname(ptmp), 111e1051a39Sopenharmony_ci X509_PURPOSE_get0_name(ptmp)); 112e1051a39Sopenharmony_ci } 113e1051a39Sopenharmony_ci 114e1051a39Sopenharmony_ci BIO_printf(bio_err, "Recognized certificate policy names:\n"); 115e1051a39Sopenharmony_ci for (i = 0; i < X509_VERIFY_PARAM_get_count(); i++) { 116e1051a39Sopenharmony_ci const X509_VERIFY_PARAM *vptmp = X509_VERIFY_PARAM_get0(i); 117e1051a39Sopenharmony_ci 118e1051a39Sopenharmony_ci BIO_printf(bio_err, " %s\n", 119e1051a39Sopenharmony_ci X509_VERIFY_PARAM_get0_name(vptmp)); 120e1051a39Sopenharmony_ci } 121e1051a39Sopenharmony_ci ret = 0; 122e1051a39Sopenharmony_ci goto end; 123e1051a39Sopenharmony_ci case OPT_V_CASES: 124e1051a39Sopenharmony_ci if (!opt_verify(o, vpm)) 125e1051a39Sopenharmony_ci goto end; 126e1051a39Sopenharmony_ci vpmtouched++; 127e1051a39Sopenharmony_ci break; 128e1051a39Sopenharmony_ci case OPT_CAPATH: 129e1051a39Sopenharmony_ci CApath = opt_arg(); 130e1051a39Sopenharmony_ci break; 131e1051a39Sopenharmony_ci case OPT_CAFILE: 132e1051a39Sopenharmony_ci CAfile = opt_arg(); 133e1051a39Sopenharmony_ci break; 134e1051a39Sopenharmony_ci case OPT_CASTORE: 135e1051a39Sopenharmony_ci CAstore = opt_arg(); 136e1051a39Sopenharmony_ci break; 137e1051a39Sopenharmony_ci case OPT_NOCAPATH: 138e1051a39Sopenharmony_ci noCApath = 1; 139e1051a39Sopenharmony_ci break; 140e1051a39Sopenharmony_ci case OPT_NOCAFILE: 141e1051a39Sopenharmony_ci noCAfile = 1; 142e1051a39Sopenharmony_ci break; 143e1051a39Sopenharmony_ci case OPT_NOCASTORE: 144e1051a39Sopenharmony_ci noCAstore = 1; 145e1051a39Sopenharmony_ci break; 146e1051a39Sopenharmony_ci case OPT_UNTRUSTED: 147e1051a39Sopenharmony_ci /* Zero or more times */ 148e1051a39Sopenharmony_ci if (!load_certs(opt_arg(), 0, &untrusted, NULL, 149e1051a39Sopenharmony_ci "untrusted certificates")) 150e1051a39Sopenharmony_ci goto end; 151e1051a39Sopenharmony_ci break; 152e1051a39Sopenharmony_ci case OPT_TRUSTED: 153e1051a39Sopenharmony_ci /* Zero or more times */ 154e1051a39Sopenharmony_ci noCAfile = 1; 155e1051a39Sopenharmony_ci noCApath = 1; 156e1051a39Sopenharmony_ci noCAstore = 1; 157e1051a39Sopenharmony_ci if (!load_certs(opt_arg(), 0, &trusted, NULL, "trusted certificates")) 158e1051a39Sopenharmony_ci goto end; 159e1051a39Sopenharmony_ci break; 160e1051a39Sopenharmony_ci case OPT_CRLFILE: 161e1051a39Sopenharmony_ci /* Zero or more times */ 162e1051a39Sopenharmony_ci if (!load_crls(opt_arg(), &crls, NULL, "other CRLs")) 163e1051a39Sopenharmony_ci goto end; 164e1051a39Sopenharmony_ci break; 165e1051a39Sopenharmony_ci case OPT_CRL_DOWNLOAD: 166e1051a39Sopenharmony_ci crl_download = 1; 167e1051a39Sopenharmony_ci break; 168e1051a39Sopenharmony_ci case OPT_ENGINE: 169e1051a39Sopenharmony_ci if ((e = setup_engine(opt_arg(), 0)) == NULL) { 170e1051a39Sopenharmony_ci /* Failure message already displayed */ 171e1051a39Sopenharmony_ci goto end; 172e1051a39Sopenharmony_ci } 173e1051a39Sopenharmony_ci break; 174e1051a39Sopenharmony_ci case OPT_SHOW_CHAIN: 175e1051a39Sopenharmony_ci show_chain = 1; 176e1051a39Sopenharmony_ci break; 177e1051a39Sopenharmony_ci case OPT_NAMEOPT: 178e1051a39Sopenharmony_ci if (!set_nameopt(opt_arg())) 179e1051a39Sopenharmony_ci goto end; 180e1051a39Sopenharmony_ci break; 181e1051a39Sopenharmony_ci case OPT_VFYOPT: 182e1051a39Sopenharmony_ci if (!vfyopts) 183e1051a39Sopenharmony_ci vfyopts = sk_OPENSSL_STRING_new_null(); 184e1051a39Sopenharmony_ci if (!vfyopts || !sk_OPENSSL_STRING_push(vfyopts, opt_arg())) 185e1051a39Sopenharmony_ci goto opthelp; 186e1051a39Sopenharmony_ci break; 187e1051a39Sopenharmony_ci case OPT_VERBOSE: 188e1051a39Sopenharmony_ci v_verbose = 1; 189e1051a39Sopenharmony_ci break; 190e1051a39Sopenharmony_ci case OPT_PROV_CASES: 191e1051a39Sopenharmony_ci if (!opt_provider(o)) 192e1051a39Sopenharmony_ci goto end; 193e1051a39Sopenharmony_ci break; 194e1051a39Sopenharmony_ci } 195e1051a39Sopenharmony_ci } 196e1051a39Sopenharmony_ci 197e1051a39Sopenharmony_ci /* Extra arguments are certificates to verify. */ 198e1051a39Sopenharmony_ci argc = opt_num_rest(); 199e1051a39Sopenharmony_ci argv = opt_rest(); 200e1051a39Sopenharmony_ci 201e1051a39Sopenharmony_ci if (trusted != NULL 202e1051a39Sopenharmony_ci && (CAfile != NULL || CApath != NULL || CAstore != NULL)) { 203e1051a39Sopenharmony_ci BIO_printf(bio_err, 204e1051a39Sopenharmony_ci "%s: Cannot use -trusted with -CAfile, -CApath or -CAstore\n", 205e1051a39Sopenharmony_ci prog); 206e1051a39Sopenharmony_ci goto end; 207e1051a39Sopenharmony_ci } 208e1051a39Sopenharmony_ci 209e1051a39Sopenharmony_ci if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath, 210e1051a39Sopenharmony_ci CAstore, noCAstore)) == NULL) 211e1051a39Sopenharmony_ci goto end; 212e1051a39Sopenharmony_ci X509_STORE_set_verify_cb(store, cb); 213e1051a39Sopenharmony_ci 214e1051a39Sopenharmony_ci if (vpmtouched) 215e1051a39Sopenharmony_ci X509_STORE_set1_param(store, vpm); 216e1051a39Sopenharmony_ci 217e1051a39Sopenharmony_ci ERR_clear_error(); 218e1051a39Sopenharmony_ci 219e1051a39Sopenharmony_ci if (crl_download) 220e1051a39Sopenharmony_ci store_setup_crl_download(store); 221e1051a39Sopenharmony_ci 222e1051a39Sopenharmony_ci ret = 0; 223e1051a39Sopenharmony_ci if (argc < 1) { 224e1051a39Sopenharmony_ci if (check(store, NULL, untrusted, trusted, crls, show_chain, 225e1051a39Sopenharmony_ci vfyopts) != 1) 226e1051a39Sopenharmony_ci ret = -1; 227e1051a39Sopenharmony_ci } else { 228e1051a39Sopenharmony_ci for (i = 0; i < argc; i++) 229e1051a39Sopenharmony_ci if (check(store, argv[i], untrusted, trusted, crls, show_chain, 230e1051a39Sopenharmony_ci vfyopts) != 1) 231e1051a39Sopenharmony_ci ret = -1; 232e1051a39Sopenharmony_ci } 233e1051a39Sopenharmony_ci 234e1051a39Sopenharmony_ci end: 235e1051a39Sopenharmony_ci X509_VERIFY_PARAM_free(vpm); 236e1051a39Sopenharmony_ci X509_STORE_free(store); 237e1051a39Sopenharmony_ci sk_X509_pop_free(untrusted, X509_free); 238e1051a39Sopenharmony_ci sk_X509_pop_free(trusted, X509_free); 239e1051a39Sopenharmony_ci sk_X509_CRL_pop_free(crls, X509_CRL_free); 240e1051a39Sopenharmony_ci sk_OPENSSL_STRING_free(vfyopts); 241e1051a39Sopenharmony_ci release_engine(e); 242e1051a39Sopenharmony_ci return (ret < 0 ? 2 : ret); 243e1051a39Sopenharmony_ci} 244e1051a39Sopenharmony_ci 245e1051a39Sopenharmony_cistatic int check(X509_STORE *ctx, const char *file, 246e1051a39Sopenharmony_ci STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, 247e1051a39Sopenharmony_ci STACK_OF(X509_CRL) *crls, int show_chain, 248e1051a39Sopenharmony_ci STACK_OF(OPENSSL_STRING) *opts) 249e1051a39Sopenharmony_ci{ 250e1051a39Sopenharmony_ci X509 *x = NULL; 251e1051a39Sopenharmony_ci int i = 0, ret = 0; 252e1051a39Sopenharmony_ci X509_STORE_CTX *csc; 253e1051a39Sopenharmony_ci STACK_OF(X509) *chain = NULL; 254e1051a39Sopenharmony_ci int num_untrusted; 255e1051a39Sopenharmony_ci 256e1051a39Sopenharmony_ci x = load_cert(file, FORMAT_UNDEF, "certificate file"); 257e1051a39Sopenharmony_ci if (x == NULL) 258e1051a39Sopenharmony_ci goto end; 259e1051a39Sopenharmony_ci 260e1051a39Sopenharmony_ci if (opts != NULL) { 261e1051a39Sopenharmony_ci for (i = 0; i < sk_OPENSSL_STRING_num(opts); i++) { 262e1051a39Sopenharmony_ci char *opt = sk_OPENSSL_STRING_value(opts, i); 263e1051a39Sopenharmony_ci if (x509_ctrl_string(x, opt) <= 0) { 264e1051a39Sopenharmony_ci BIO_printf(bio_err, "parameter error \"%s\"\n", opt); 265e1051a39Sopenharmony_ci ERR_print_errors(bio_err); 266e1051a39Sopenharmony_ci X509_free(x); 267e1051a39Sopenharmony_ci return 0; 268e1051a39Sopenharmony_ci } 269e1051a39Sopenharmony_ci } 270e1051a39Sopenharmony_ci } 271e1051a39Sopenharmony_ci 272e1051a39Sopenharmony_ci csc = X509_STORE_CTX_new(); 273e1051a39Sopenharmony_ci if (csc == NULL) { 274e1051a39Sopenharmony_ci BIO_printf(bio_err, "error %s: X.509 store context allocation failed\n", 275e1051a39Sopenharmony_ci (file == NULL) ? "stdin" : file); 276e1051a39Sopenharmony_ci goto end; 277e1051a39Sopenharmony_ci } 278e1051a39Sopenharmony_ci 279e1051a39Sopenharmony_ci X509_STORE_set_flags(ctx, vflags); 280e1051a39Sopenharmony_ci if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { 281e1051a39Sopenharmony_ci X509_STORE_CTX_free(csc); 282e1051a39Sopenharmony_ci BIO_printf(bio_err, 283e1051a39Sopenharmony_ci "error %s: X.509 store context initialization failed\n", 284e1051a39Sopenharmony_ci (file == NULL) ? "stdin" : file); 285e1051a39Sopenharmony_ci goto end; 286e1051a39Sopenharmony_ci } 287e1051a39Sopenharmony_ci if (tchain != NULL) 288e1051a39Sopenharmony_ci X509_STORE_CTX_set0_trusted_stack(csc, tchain); 289e1051a39Sopenharmony_ci if (crls != NULL) 290e1051a39Sopenharmony_ci X509_STORE_CTX_set0_crls(csc, crls); 291e1051a39Sopenharmony_ci i = X509_verify_cert(csc); 292e1051a39Sopenharmony_ci if (i > 0 && X509_STORE_CTX_get_error(csc) == X509_V_OK) { 293e1051a39Sopenharmony_ci BIO_printf(bio_out, "%s: OK\n", (file == NULL) ? "stdin" : file); 294e1051a39Sopenharmony_ci ret = 1; 295e1051a39Sopenharmony_ci if (show_chain) { 296e1051a39Sopenharmony_ci int j; 297e1051a39Sopenharmony_ci 298e1051a39Sopenharmony_ci chain = X509_STORE_CTX_get1_chain(csc); 299e1051a39Sopenharmony_ci num_untrusted = X509_STORE_CTX_get_num_untrusted(csc); 300e1051a39Sopenharmony_ci BIO_printf(bio_out, "Chain:\n"); 301e1051a39Sopenharmony_ci for (j = 0; j < sk_X509_num(chain); j++) { 302e1051a39Sopenharmony_ci X509 *cert = sk_X509_value(chain, j); 303e1051a39Sopenharmony_ci BIO_printf(bio_out, "depth=%d: ", j); 304e1051a39Sopenharmony_ci X509_NAME_print_ex_fp(stdout, 305e1051a39Sopenharmony_ci X509_get_subject_name(cert), 306e1051a39Sopenharmony_ci 0, get_nameopt()); 307e1051a39Sopenharmony_ci if (j < num_untrusted) 308e1051a39Sopenharmony_ci BIO_printf(bio_out, " (untrusted)"); 309e1051a39Sopenharmony_ci BIO_printf(bio_out, "\n"); 310e1051a39Sopenharmony_ci } 311e1051a39Sopenharmony_ci sk_X509_pop_free(chain, X509_free); 312e1051a39Sopenharmony_ci } 313e1051a39Sopenharmony_ci } else { 314e1051a39Sopenharmony_ci BIO_printf(bio_err, 315e1051a39Sopenharmony_ci "error %s: verification failed\n", 316e1051a39Sopenharmony_ci (file == NULL) ? "stdin" : file); 317e1051a39Sopenharmony_ci } 318e1051a39Sopenharmony_ci X509_STORE_CTX_free(csc); 319e1051a39Sopenharmony_ci 320e1051a39Sopenharmony_ci end: 321e1051a39Sopenharmony_ci if (i <= 0) 322e1051a39Sopenharmony_ci ERR_print_errors(bio_err); 323e1051a39Sopenharmony_ci X509_free(x); 324e1051a39Sopenharmony_ci 325e1051a39Sopenharmony_ci return ret; 326e1051a39Sopenharmony_ci} 327e1051a39Sopenharmony_ci 328e1051a39Sopenharmony_cistatic int cb(int ok, X509_STORE_CTX *ctx) 329e1051a39Sopenharmony_ci{ 330e1051a39Sopenharmony_ci int cert_error = X509_STORE_CTX_get_error(ctx); 331e1051a39Sopenharmony_ci X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); 332e1051a39Sopenharmony_ci 333e1051a39Sopenharmony_ci if (!ok) { 334e1051a39Sopenharmony_ci if (current_cert != NULL) { 335e1051a39Sopenharmony_ci X509_NAME_print_ex(bio_err, 336e1051a39Sopenharmony_ci X509_get_subject_name(current_cert), 337e1051a39Sopenharmony_ci 0, get_nameopt()); 338e1051a39Sopenharmony_ci BIO_printf(bio_err, "\n"); 339e1051a39Sopenharmony_ci } 340e1051a39Sopenharmony_ci BIO_printf(bio_err, "%serror %d at %d depth lookup: %s\n", 341e1051a39Sopenharmony_ci X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "", 342e1051a39Sopenharmony_ci cert_error, 343e1051a39Sopenharmony_ci X509_STORE_CTX_get_error_depth(ctx), 344e1051a39Sopenharmony_ci X509_verify_cert_error_string(cert_error)); 345e1051a39Sopenharmony_ci 346e1051a39Sopenharmony_ci /* 347e1051a39Sopenharmony_ci * Pretend that some errors are ok, so they don't stop further 348e1051a39Sopenharmony_ci * processing of the certificate chain. Setting ok = 1 does this. 349e1051a39Sopenharmony_ci * After X509_verify_cert() is done, we verify that there were 350e1051a39Sopenharmony_ci * no actual errors, even if the returned value was positive. 351e1051a39Sopenharmony_ci */ 352e1051a39Sopenharmony_ci switch (cert_error) { 353e1051a39Sopenharmony_ci case X509_V_ERR_NO_EXPLICIT_POLICY: 354e1051a39Sopenharmony_ci policies_print(ctx); 355e1051a39Sopenharmony_ci /* fall thru */ 356e1051a39Sopenharmony_ci case X509_V_ERR_CERT_HAS_EXPIRED: 357e1051a39Sopenharmony_ci /* Continue even if the leaf is a self-signed cert */ 358e1051a39Sopenharmony_ci case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 359e1051a39Sopenharmony_ci /* Continue after extension errors too */ 360e1051a39Sopenharmony_ci case X509_V_ERR_INVALID_CA: 361e1051a39Sopenharmony_ci case X509_V_ERR_INVALID_NON_CA: 362e1051a39Sopenharmony_ci case X509_V_ERR_PATH_LENGTH_EXCEEDED: 363e1051a39Sopenharmony_ci case X509_V_ERR_CRL_HAS_EXPIRED: 364e1051a39Sopenharmony_ci case X509_V_ERR_CRL_NOT_YET_VALID: 365e1051a39Sopenharmony_ci case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: 366e1051a39Sopenharmony_ci /* errors due to strict conformance checking (-x509_strict) */ 367e1051a39Sopenharmony_ci case X509_V_ERR_INVALID_PURPOSE: 368e1051a39Sopenharmony_ci case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA: 369e1051a39Sopenharmony_ci case X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN: 370e1051a39Sopenharmony_ci case X509_V_ERR_CA_BCONS_NOT_CRITICAL: 371e1051a39Sopenharmony_ci case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE: 372e1051a39Sopenharmony_ci case X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA: 373e1051a39Sopenharmony_ci case X509_V_ERR_ISSUER_NAME_EMPTY: 374e1051a39Sopenharmony_ci case X509_V_ERR_SUBJECT_NAME_EMPTY: 375e1051a39Sopenharmony_ci case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL: 376e1051a39Sopenharmony_ci case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME: 377e1051a39Sopenharmony_ci case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: 378e1051a39Sopenharmony_ci case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL: 379e1051a39Sopenharmony_ci case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL: 380e1051a39Sopenharmony_ci case X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER: 381e1051a39Sopenharmony_ci case X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER: 382e1051a39Sopenharmony_ci case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3: 383e1051a39Sopenharmony_ci ok = 1; 384e1051a39Sopenharmony_ci } 385e1051a39Sopenharmony_ci return ok; 386e1051a39Sopenharmony_ci 387e1051a39Sopenharmony_ci } 388e1051a39Sopenharmony_ci if (cert_error == X509_V_OK && ok == 2) 389e1051a39Sopenharmony_ci policies_print(ctx); 390e1051a39Sopenharmony_ci if (!v_verbose) 391e1051a39Sopenharmony_ci ERR_clear_error(); 392e1051a39Sopenharmony_ci return ok; 393e1051a39Sopenharmony_ci} 394