xref: /dragonfly/crypto/libressl/apps/openssl/verify.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /* $OpenBSD: verify.c,v 1.14 2021/02/15 17:57:58 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62 
63 #include "apps.h"
64 
65 #include <openssl/bio.h>
66 #include <openssl/err.h>
67 #include <openssl/pem.h>
68 #include <openssl/x509.h>
69 #include <openssl/x509v3.h>
70 
71 static int cb(int ok, X509_STORE_CTX *ctx);
72 static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain,
73     STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls);
74 static int vflags = 0;
75 
76 static struct {
77           char *CAfile;
78           char *CApath;
79           char *crlfile;
80           char *trustfile;
81           char *untfile;
82           int verbose;
83           X509_VERIFY_PARAM *vpm;
84 } verify_config;
85 
86 static int
verify_opt_args(int argc,char ** argv,int * argsused)87 verify_opt_args(int argc, char **argv, int *argsused)
88 {
89           int oargc = argc;
90           int badarg = 0;
91 
92           if (!args_verify(&argv, &argc, &badarg, bio_err, &verify_config.vpm))
93                     return (1);
94           if (badarg)
95                     return (1);
96 
97           *argsused = oargc - argc;
98 
99           return (0);
100 }
101 
102 static const struct option verify_options[] = {
103           {
104                     .name = "CAfile",
105                     .argname = "file",
106                     .desc = "Certificate Authority file",
107                     .type = OPTION_ARG,
108                     .opt.arg = &verify_config.CAfile,
109           },
110           {
111                     .name = "CApath",
112                     .argname = "path",
113                     .desc = "Certificate Authority path",
114                     .type = OPTION_ARG,
115                     .opt.arg = &verify_config.CApath,
116           },
117           {
118                     .name = "CRLfile",
119                     .argname = "file",
120                     .desc = "Certificate Revocation List file",
121                     .type = OPTION_ARG,
122                     .opt.arg = &verify_config.crlfile,
123           },
124           {
125                     .name = "trusted",
126                     .argname = "file",
127                     .desc = "Trusted certificates file",
128                     .type = OPTION_ARG,
129                     .opt.arg = &verify_config.trustfile,
130           },
131           {
132                     .name = "untrusted",
133                     .argname = "file",
134                     .desc = "Untrusted certificates file",
135                     .type = OPTION_ARG,
136                     .opt.arg = &verify_config.untfile,
137           },
138           {
139                     .name = "verbose",
140                     .desc = "Verbose",
141                     .type = OPTION_FLAG,
142                     .opt.flag = &verify_config.verbose,
143           },
144           {
145                     .name = NULL,
146                     .desc = "",
147                     .type = OPTION_ARGV_FUNC,
148                     .opt.argvfunc = verify_opt_args,
149           },
150           { NULL },
151 };
152 
153 static const struct option verify_shared_options[] = {
154           {
155                     .name = "attime",
156                     .argname = "epoch",
157                     .desc = "Use epoch as the verification time",
158           },
159           {
160                     .name = "check_ss_sig",
161                     .desc = "Check the root CA self-signed certificate signature",
162           },
163           {
164                     .name = "crl_check",
165                     .desc = "Enable CRL checking for the leaf certificate",
166           },
167           {
168                     .name = "crl_check_all",
169                     .desc = "Enable CRL checking for the entire certificate chain",
170           },
171           {
172                     .name = "explicit_policy",
173                     .desc = "Require explicit policy (per RFC 3280)",
174           },
175           {
176                     .name = "extended_crl",
177                     .desc = "Enable extended CRL support",
178           },
179           {
180                     .name = "ignore_critical",
181                     .desc = "Disable critical extension checking",
182           },
183           {
184                     .name = "inhibit_any",
185                     .desc = "Inhibit any policy (per RFC 3280)",
186           },
187           {
188                     .name = "inhibit_map",
189                     .desc = "Inhibit policy mapping (per RFC 3280)",
190           },
191           {
192                     .name = "issuer_checks",
193                     .desc = "Enable debugging of certificate issuer checks",
194           },
195           {
196                     .name = "legacy_verify",
197                     .desc = "Use legacy certificate chain verification",
198           },
199           {
200                     .name = "policy",
201                     .argname = "name",
202                     .desc = "Add given policy to the acceptable set",
203           },
204           {
205                     .name = "policy_check",
206                     .desc = "Enable certificate policy checking",
207           },
208           {
209                     .name = "policy_print",
210                     .desc = "Print policy",
211           },
212           {
213                     .name = "purpose",
214                     .argname = "name",
215                     .desc = "Verify for the given purpose",
216           },
217           {
218                     .name = "use_deltas",
219                     .desc = "Use delta CRLS (if present)",
220           },
221           {
222                     .name = "verify_depth",
223                     .argname = "num",
224                     .desc = "Limit verification to the given depth",
225           },
226           {
227                     .name = "x509_strict",
228                     .desc = "Use strict X.509 rules (disables workarounds)",
229           },
230           { NULL },
231 };
232 
233 static void
verify_usage(void)234 verify_usage(void)
235 {
236           int i;
237 
238           fprintf(stderr,
239               "usage: verify [-CAfile file] [-CApath directory] [-check_ss_sig]\n"
240               "    [-CRLfile file] [-crl_check] [-crl_check_all]\n"
241               "    [-explicit_policy] [-extended_crl]\n"
242               "    [-ignore_critical] [-inhibit_any] [-inhibit_map]\n"
243               "    [-issuer_checks] [-policy_check] [-purpose purpose]\n"
244               "    [-trusted file] [-untrusted file] [-verbose]\n"
245               "    [-x509_strict] [certificates]\n\n");
246 
247           options_usage(verify_options);
248 
249           fprintf(stderr, "\nVerification options:\n\n");
250           options_usage(verify_shared_options);
251 
252           fprintf(stderr, "\nValid purposes:\n\n");
253           for (i = 0; i < X509_PURPOSE_get_count(); i++) {
254                     X509_PURPOSE *ptmp = X509_PURPOSE_get0(i);
255                     fprintf(stderr, "  %-18s%s\n", X509_PURPOSE_get0_sname(ptmp),
256                         X509_PURPOSE_get0_name(ptmp));
257           }
258 }
259 
260 int
verify_main(int argc,char ** argv)261 verify_main(int argc, char **argv)
262 {
263           STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
264           STACK_OF(X509_CRL) *crls = NULL;
265           X509_STORE *cert_ctx = NULL;
266           X509_LOOKUP *lookup = NULL;
267           char **cert_files = NULL;
268           int argsused;
269           int ret = 1;
270 
271           if (single_execution) {
272                     if (pledge("stdio rpath", NULL) == -1) {
273                               perror("pledge");
274                               exit(1);
275                     }
276           }
277 
278           memset(&verify_config, 0, sizeof(verify_config));
279 
280           if (options_parse(argc, argv, verify_options, NULL, &argsused) != 0) {
281                     verify_usage();
282                     goto end;
283           }
284 
285           if (argsused < argc)
286                     cert_files = &argv[argsused];
287 
288           cert_ctx = X509_STORE_new();
289           if (cert_ctx == NULL)
290                     goto end;
291           X509_STORE_set_verify_cb(cert_ctx, cb);
292 
293           if (verify_config.vpm)
294                     X509_STORE_set1_param(cert_ctx, verify_config.vpm);
295 
296           lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
297           if (lookup == NULL)
298                     abort(); /* XXX */
299           if (verify_config.CAfile) {
300                     if (!X509_LOOKUP_load_file(lookup, verify_config.CAfile,
301                         X509_FILETYPE_PEM)) {
302                               BIO_printf(bio_err, "Error loading file %s\n",
303                                   verify_config.CAfile);
304                               ERR_print_errors(bio_err);
305                               goto end;
306                     }
307           } else
308                     X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
309 
310           lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
311           if (lookup == NULL)
312                     abort(); /* XXX */
313           if (verify_config.CApath) {
314                     if (!X509_LOOKUP_add_dir(lookup, verify_config.CApath,
315                         X509_FILETYPE_PEM)) {
316                               BIO_printf(bio_err, "Error loading directory %s\n",
317                                   verify_config.CApath);
318                               ERR_print_errors(bio_err);
319                               goto end;
320                     }
321           } else
322                     X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
323 
324           ERR_clear_error();
325 
326           if (verify_config.untfile) {
327                     untrusted = load_certs(bio_err, verify_config.untfile,
328                         FORMAT_PEM, NULL, "untrusted certificates");
329                     if (!untrusted)
330                               goto end;
331           }
332           if (verify_config.trustfile) {
333                     trusted = load_certs(bio_err, verify_config.trustfile,
334                         FORMAT_PEM, NULL, "trusted certificates");
335                     if (!trusted)
336                               goto end;
337           }
338           if (verify_config.crlfile) {
339                     crls = load_crls(bio_err, verify_config.crlfile, FORMAT_PEM,
340                         NULL, "other CRLs");
341                     if (!crls)
342                               goto end;
343           }
344           ret = 0;
345           if (cert_files == NULL) {
346                     if (1 != check(cert_ctx, NULL, untrusted, trusted, crls))
347                               ret = -1;
348           } else {
349                     do {
350                               if (1 != check(cert_ctx, *cert_files++, untrusted,
351                                   trusted, crls))
352                                         ret = -1;
353                     } while (*cert_files != NULL);
354           }
355 
356  end:
357           if (verify_config.vpm)
358                     X509_VERIFY_PARAM_free(verify_config.vpm);
359           if (cert_ctx != NULL)
360                     X509_STORE_free(cert_ctx);
361           sk_X509_pop_free(untrusted, X509_free);
362           sk_X509_pop_free(trusted, X509_free);
363           sk_X509_CRL_pop_free(crls, X509_CRL_free);
364 
365           return (ret < 0 ? 2 : ret);
366 }
367 
368 static int
check(X509_STORE * ctx,char * file,STACK_OF (X509)* uchain,STACK_OF (X509)* tchain,STACK_OF (X509_CRL)* crls)369 check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain,
370     STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls)
371 {
372           X509 *x = NULL;
373           X509_STORE_CTX *csc = NULL;
374           const char *certfile = (file == NULL) ? "stdin" : file;
375           int verify_err;
376           int i = 0, ret = 0;
377 
378           x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file");
379           if (x == NULL)
380                     goto end;
381 
382           if ((csc = X509_STORE_CTX_new()) == NULL)
383                     goto end;
384           X509_STORE_set_flags(ctx, vflags);
385           if (!X509_STORE_CTX_init(csc, ctx, x, uchain))
386                     goto end;
387           if (tchain)
388                     X509_STORE_CTX_trusted_stack(csc, tchain);
389           if (crls)
390                     X509_STORE_CTX_set0_crls(csc, crls);
391 
392           i = X509_verify_cert(csc);
393           verify_err = X509_STORE_CTX_get_error(csc);
394 
395           if (i > 0 && verify_err == X509_V_OK) {
396                     fprintf(stdout, "%s: OK\n", certfile);
397                     ret = 1;
398           } else {
399                     fprintf(stdout, "%s: verification failed: %d (%s)\n", certfile,
400                         verify_err, X509_verify_cert_error_string(verify_err));
401           }
402 
403  end:
404           if (i <= 0)
405                     ERR_print_errors(bio_err);
406           X509_free(x);
407           X509_STORE_CTX_free(csc);
408 
409           return (ret);
410 }
411 
412 static int
cb(int ok,X509_STORE_CTX * ctx)413 cb(int ok, X509_STORE_CTX *ctx)
414 {
415           int cert_error = X509_STORE_CTX_get_error(ctx);
416           X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
417 
418           if (!ok) {
419                     if (current_cert) {
420                               X509_NAME_print_ex_fp(stdout,
421                                   X509_get_subject_name(current_cert),
422                                   0, XN_FLAG_ONELINE);
423                               printf("\n");
424                     }
425                     printf("%serror %d at %d depth lookup:%s\n",
426                         X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
427                         cert_error,
428                         X509_STORE_CTX_get_error_depth(ctx),
429                         X509_verify_cert_error_string(cert_error));
430                     switch (cert_error) {
431                     case X509_V_ERR_NO_EXPLICIT_POLICY:
432                               policies_print(NULL, ctx);
433                     case X509_V_ERR_CERT_HAS_EXPIRED:
434 
435                               /*
436                                * since we are just checking the certificates, it is
437                                * ok if they are self signed. But we should still
438                                * warn the user.
439                                */
440 
441                     case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
442                               /* Continue after extension errors too */
443                     case X509_V_ERR_INVALID_CA:
444                     case X509_V_ERR_INVALID_NON_CA:
445                     case X509_V_ERR_PATH_LENGTH_EXCEEDED:
446                     case X509_V_ERR_INVALID_PURPOSE:
447                     case X509_V_ERR_CRL_HAS_EXPIRED:
448                     case X509_V_ERR_CRL_NOT_YET_VALID:
449                     case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
450                               ok = 1;
451 
452                     }
453 
454                     return ok;
455 
456           }
457           if (cert_error == X509_V_OK && ok == 2)
458                     policies_print(NULL, ctx);
459           if (!verify_config.verbose)
460                     ERR_clear_error();
461           return (ok);
462 }
463