Commit 7f3f41d8 authored by Matt Caswell's avatar Matt Caswell
Browse files

Extend -show_chain option to verify to show more info 



The -show_chain flag to the verify command line app shows information about
the chain that has been built. This commit adds the text "untrusted" against
those certificates that have been used from the untrusted list.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent a64ba70d

apps/verify.c

+7 −1
Original line number Original line Diff line number Diff line
@@ -244,6 +244,7 @@ static int check(X509_STORE *ctx, char *file, 
    int i = 0, ret = 0;

    int i = 0, ret = 0;

    X509_STORE_CTX *csc;

    X509_STORE_CTX *csc;

    STACK_OF(X509) *chain = NULL;

    STACK_OF(X509) *chain = NULL;

    int num_untrusted;





    x = load_cert(file, FORMAT_PEM, NULL, e, "certificate file");

    x = load_cert(file, FORMAT_PEM, NULL, e, "certificate file");

    if (x == NULL)

    if (x == NULL)
@@ -265,8 +266,10 @@ static int check(X509_STORE *ctx, char *file, 
    if (crls)

    if (crls)

        X509_STORE_CTX_set0_crls(csc, crls);

        X509_STORE_CTX_set0_crls(csc, crls);

    i = X509_verify_cert(csc);

    i = X509_verify_cert(csc);

    if (i > 0 && show_chain)

    if (i > 0 && show_chain) {

        chain = X509_STORE_CTX_get1_chain(csc);

        chain = X509_STORE_CTX_get1_chain(csc);

        num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);

    }

    X509_STORE_CTX_free(csc);

    X509_STORE_CTX_free(csc);





    ret = 0;

    ret = 0;
@@ -284,6 +287,9 @@ static int check(X509_STORE *ctx, char *file, 
            X509_NAME_print_ex_fp(stdout,

            X509_NAME_print_ex_fp(stdout,

                                  X509_get_subject_name(cert),

                                  X509_get_subject_name(cert),

                                  0, XN_FLAG_ONELINE);

                                  0, XN_FLAG_ONELINE);

            if (i < num_untrusted) {

                printf(" (untrusted)");

            }

            printf("\n");

            printf("\n");

        }

        }

        sk_X509_pop_free(chain, X509_free);

        sk_X509_pop_free(chain, X509_free);

crypto/x509/x509_vfy.c

+5 −0
Original line number Original line Diff line number Diff line
@@ -2452,6 +2452,11 @@ int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) 
    return ctx->explicit_policy;

    return ctx->explicit_policy;

}

}





int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)

{

    return ctx->last_untrusted;

}



int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)

int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)

{

{

    const X509_VERIFY_PARAM *param;

    const X509_VERIFY_PARAM *param;

doc/apps/verify.pod

+8 −1
Original line number Original line Diff line number Diff line
@@ -42,6 +42,7 @@ B<openssl> B<verify> 
[B<-verify_ip ip>]

[B<-verify_ip ip>]

[B<-verify_name name>]

[B<-verify_name name>]

[B<-x509_strict>]

[B<-x509_strict>]

[B<-show_chain>]

[B<->]

[B<->]

[certificates]

[certificates]
@@ -227,6 +228,12 @@ Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server. 
For strict X.509 compliance, disable non-compliant workarounds for broken

For strict X.509 compliance, disable non-compliant workarounds for broken

certificates.

certificates.





=item B<-show_chain>



Display information about the certificate chain that has been built (if

successful). Certificates in the chain that came from the untrusted list will be

flagged as "untrusted".



=item B<->

=item B<->





Indicates the last option. All arguments following this are assumed to be

Indicates the last option. All arguments following this are assumed to be
@@ -491,6 +498,6 @@ L<x509(1)|x509(1)> 




=head1 HISTORY

=head1 HISTORY





The -no_alt_chains options was first added to OpenSSL 1.1.0.

The -show_chain option was first added to OpenSSL 1.1.0.





=cut
 
=cut

doc/crypto/X509_STORE_CTX_new.pod

+9 −0
Original line number Original line Diff line number Diff line
@@ -25,6 +25,8 @@ X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_ 
 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);

 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);

 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);

 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);





 int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);



=head1 DESCRIPTION

=head1 DESCRIPTION





These functions initialise an B<X509_STORE_CTX> structure for subsequent use

These functions initialise an B<X509_STORE_CTX> structure for subsequent use
@@ -76,6 +78,9 @@ X509_STORE_CTX_set_default() looks up and sets the default verification 
method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to

method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to

find an appropriate set of parameters from B<name>.

find an appropriate set of parameters from B<name>.





X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates

that were used in building the chain following a call to X509_verify_cert().



=head1 NOTES

=head1 NOTES





The certificates and CRLs in a store are used internally and should B<not>

The certificates and CRLs in a store are used internally and should B<not>
@@ -116,6 +121,9 @@ values. 




X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.

X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.





X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates

used.



=head1 SEE ALSO

=head1 SEE ALSO





L<X509_verify_cert(3)|X509_verify_cert(3)>

L<X509_verify_cert(3)|X509_verify_cert(3)>
@@ -124,5 +132,6 @@ L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)> 
=head1 HISTORY

=head1 HISTORY





X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0

X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0

X509_STORE_CTX_get_num_untrusted() was first added to OpenSSL 1.1.0





=cut
 
=cut

include/openssl/x509_vfy.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -528,6 +528,7 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, 




X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);

X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);

int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);

int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);

int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);





X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);

X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);

void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);

void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);