pki: Support complex trustchain and revocation checking in --verify
This commit is contained in:
parent
74eedc8061
commit
f48c26bce3
|
@ -1160,9 +1160,9 @@ s_plugins=
|
|||
t_plugins=
|
||||
|
||||
ADD_PLUGIN([test-vectors], [s charon scepclient pki])
|
||||
ADD_PLUGIN([curl], [s charon scepclient scripts nm cmd])
|
||||
ADD_PLUGIN([winhttp], [s charon scripts])
|
||||
ADD_PLUGIN([soup], [s charon scripts nm cmd])
|
||||
ADD_PLUGIN([curl], [s charon scepclient pki scripts nm cmd])
|
||||
ADD_PLUGIN([winhttp], [s charon pki scripts])
|
||||
ADD_PLUGIN([soup], [s charon pki scripts nm cmd])
|
||||
ADD_PLUGIN([unbound], [s charon scripts])
|
||||
ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd])
|
||||
ADD_PLUGIN([mysql], [s charon pool manager medsrv attest])
|
||||
|
@ -1180,7 +1180,7 @@ ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attes
|
|||
ADD_PLUGIN([random], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
|
||||
ADD_PLUGIN([nonce], [s charon nm cmd aikgen])
|
||||
ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd aikgen])
|
||||
ADD_PLUGIN([revocation], [s charon nm cmd])
|
||||
ADD_PLUGIN([revocation], [s charon pki nm cmd])
|
||||
ADD_PLUGIN([constraints], [s charon nm cmd])
|
||||
ADD_PLUGIN([acert], [s charon])
|
||||
ADD_PLUGIN([pubkey], [s charon cmd aikgen])
|
||||
|
|
|
@ -19,32 +19,53 @@
|
|||
|
||||
#include <credentials/certificates/certificate.h>
|
||||
#include <credentials/certificates/x509.h>
|
||||
#include <credentials/sets/mem_cred.h>
|
||||
|
||||
/**
|
||||
* Verify a certificate signature
|
||||
*/
|
||||
static int verify()
|
||||
{
|
||||
certificate_t *cert, *ca;
|
||||
char *file = NULL, *cafile = NULL;
|
||||
bool good = FALSE;
|
||||
char *arg;
|
||||
bool trusted = FALSE, valid = FALSE, revoked = FALSE;
|
||||
bool has_ca = FALSE, online = FALSE;
|
||||
certificate_t *cert;
|
||||
enumerator_t *enumerator;
|
||||
auth_cfg_t *auth;
|
||||
mem_cred_t *creds;
|
||||
char *arg, *file = NULL;
|
||||
|
||||
creds = mem_cred_create();
|
||||
lib->credmgr->add_set(lib->credmgr, &creds->set);
|
||||
|
||||
while (TRUE)
|
||||
{
|
||||
switch (command_getopt(&arg))
|
||||
{
|
||||
case 'h':
|
||||
creds->destroy(creds);
|
||||
return command_usage(NULL);
|
||||
case 'i':
|
||||
file = arg;
|
||||
continue;
|
||||
case 'c':
|
||||
cafile = arg;
|
||||
cert = lib->creds->create(lib->creds,
|
||||
CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_FROM_FILE, arg, BUILD_END);
|
||||
if (!cert)
|
||||
{
|
||||
fprintf(stderr, "parsing CA certificate failed\n");
|
||||
goto end;
|
||||
}
|
||||
has_ca = TRUE;
|
||||
creds->add_cert(creds, TRUE, cert);
|
||||
continue;
|
||||
case 'o':
|
||||
online = TRUE;
|
||||
continue;
|
||||
case EOF:
|
||||
break;
|
||||
default:
|
||||
creds->destroy(creds);
|
||||
return command_usage("invalid --verify option");
|
||||
}
|
||||
break;
|
||||
|
@ -63,7 +84,7 @@ static int verify()
|
|||
if (!chunk_from_fd(0, &chunk))
|
||||
{
|
||||
fprintf(stderr, "reading certificate failed: %s\n", strerror(errno));
|
||||
return 1;
|
||||
goto end;
|
||||
}
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_BLOB, chunk, BUILD_END);
|
||||
|
@ -72,60 +93,76 @@ static int verify()
|
|||
if (!cert)
|
||||
{
|
||||
fprintf(stderr, "parsing certificate failed\n");
|
||||
return 1;
|
||||
goto end;
|
||||
}
|
||||
if (cafile)
|
||||
{
|
||||
ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_FROM_FILE, cafile, BUILD_END);
|
||||
if (!ca)
|
||||
{
|
||||
fprintf(stderr, "parsing CA certificate failed\n");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
ca = cert;
|
||||
}
|
||||
if (cert->issued_by(cert, ca, NULL))
|
||||
creds->add_cert(creds, !has_ca, cert);
|
||||
|
||||
enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
|
||||
KEY_ANY, cert->get_subject(cert), online);
|
||||
if (enumerator->enumerate(enumerator, &cert, &auth))
|
||||
{
|
||||
trusted = TRUE;
|
||||
if (cert->get_validity(cert, NULL, NULL, NULL))
|
||||
{
|
||||
if (cafile)
|
||||
{
|
||||
if (ca->get_validity(ca, NULL, NULL, NULL))
|
||||
{
|
||||
printf("signature good, certificates valid\n");
|
||||
good = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("signature good, CA certificates not valid now\n");
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("signature good, certificate valid\n");
|
||||
good = TRUE;
|
||||
}
|
||||
printf("certificate trusted, lifetimes valid");
|
||||
valid = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("certificate not valid now\n");
|
||||
printf("certificate trusted, but no valid lifetime");
|
||||
}
|
||||
if (online)
|
||||
{
|
||||
switch ((uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION))
|
||||
{
|
||||
case VALIDATION_GOOD:
|
||||
printf(", certificate not revoked");
|
||||
break;
|
||||
case VALIDATION_SKIPPED:
|
||||
printf(", no revocation information");
|
||||
break;
|
||||
case VALIDATION_STALE:
|
||||
printf(", revocation information stale");
|
||||
break;
|
||||
case VALIDATION_FAILED:
|
||||
printf(", revocation checking failed");
|
||||
break;
|
||||
case VALIDATION_ON_HOLD:
|
||||
printf(", certificate revocation on hold");
|
||||
revoked = TRUE;
|
||||
break;
|
||||
case VALIDATION_REVOKED:
|
||||
printf(", certificate revoked");
|
||||
revoked = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("signature invalid\n");
|
||||
}
|
||||
if (cafile)
|
||||
{
|
||||
ca->destroy(ca);
|
||||
}
|
||||
cert->destroy(cert);
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
return good ? 0 : 2;
|
||||
if (!trusted)
|
||||
{
|
||||
printf("certificate untrusted\n");
|
||||
}
|
||||
|
||||
end:
|
||||
lib->credmgr->remove_set(lib->credmgr, &creds->set);
|
||||
creds->destroy(creds);
|
||||
|
||||
if (!trusted)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
if (!valid)
|
||||
{
|
||||
return 2;
|
||||
}
|
||||
if (revoked)
|
||||
{
|
||||
return 3;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -140,7 +177,8 @@ static void __attribute__ ((constructor))reg()
|
|||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "X.509 certificate to verify, default: stdin"},
|
||||
{"cacert", 'c', 1, "CA certificate, default: verify self signed"},
|
||||
{"cacert", 'c', 1, "CA certificate for trustchain verification"},
|
||||
{"online", 'o', 0, "enable online CRL/OCSP revocation checking"},
|
||||
}
|
||||
});
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue