![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to verify.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / pki / commands|
Return to verify.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / pki / commands |
1.1 misho 1: /*
2: * Copyright (C) 2016-2018 Tobias Brunner
3: * Copyright (C) 2009 Martin Willi
4: * HSR Hochschule fuer Technik Rapperswil
5: *
6: * This program is free software; you can redistribute it and/or modify it
7: * under the terms of the GNU General Public License as published by the
8: * Free Software Foundation; either version 2 of the License, or (at your
9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10: *
11: * This program is distributed in the hope that it will be useful, but
12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14: * for more details.
15: */
16:
17: #include <sys/types.h>
18: #include <sys/stat.h>
19: #include <unistd.h>
20: #include <errno.h>
21:
22: #include "pki.h"
23:
24: #include <credentials/certificates/certificate.h>
25: #include <credentials/certificates/x509.h>
26: #include <credentials/sets/mem_cred.h>
27:
28: /**
29: * Load a CA or CRL and add it to the credential set
30: */
31: static bool load_cert(mem_cred_t *creds, char *path, certificate_type_t subtype)
32: {
33: certificate_t *cert;
34: char *credname;
35:
36: switch (subtype)
37: {
38: case CERT_X509:
39: credname = "CA certificate";
40: break;
41: case CERT_X509_CRL:
42: credname = "CRL";
43: break;
44: default:
45: return FALSE;
46: }
47: cert = lib->creds->create(lib->creds,
48: CRED_CERTIFICATE, subtype,
49: BUILD_FROM_FILE, path, BUILD_END);
50: if (!cert)
51: {
52: fprintf(stderr, "parsing %s from '%s' failed\n", credname, path);
53: return FALSE;
54: }
55: if (subtype == CERT_X509_CRL)
56: {
57: creds->add_crl(creds, (crl_t*)cert);
58: }
59: else
60: {
61: creds->add_cert(creds, TRUE, cert);
62: }
63: return TRUE;
64: }
65:
66: /**
67: * Load CA cert or CRL either from a file or a path
68: */
69: static bool load_certs(mem_cred_t *creds, char *path,
70: certificate_type_t subtype)
71: {
72: enumerator_t *enumerator;
73: struct stat st;
74: bool loaded = FALSE;
75:
76: if (stat(path, &st))
77: {
78: fprintf(stderr, "failed to access '%s': %s\n", path, strerror(errno));
79: return FALSE;
80: }
81: if (S_ISDIR(st.st_mode))
82: {
83: enumerator = enumerator_create_directory(path);
84: if (!enumerator)
85: {
86: fprintf(stderr, "directory '%s' can not be opened: %s",
87: path, strerror(errno));
88: return FALSE;
89: }
90: while (enumerator->enumerate(enumerator, NULL, &path, &st))
91: {
92: if (S_ISREG(st.st_mode) && load_cert(creds, path, subtype))
93: {
94: loaded = TRUE;
95: }
96: }
97: enumerator->destroy(enumerator);
98: }
99: else
100: {
101: loaded = load_cert(creds, path, subtype);
102: }
103: return loaded;
104: }
105:
106: /**
107: * Verify a certificate signature
108: */
109: static int verify()
110: {
111: bool trusted = FALSE, valid = FALSE, revoked = FALSE;
112: bool has_ca = FALSE, online = FALSE;
113: certificate_t *cert;
114: enumerator_t *enumerator;
115: auth_cfg_t *auth;
116: mem_cred_t *creds;
117: char *arg, *file = NULL;
118:
119: creds = mem_cred_create();
120: lib->credmgr->add_set(lib->credmgr, &creds->set);
121:
122: while (TRUE)
123: {
124: switch (command_getopt(&arg))
125: {
126: case 'h':
127: creds->destroy(creds);
128: return command_usage(NULL);
129: case 'i':
130: file = arg;
131: continue;
132: case 'c':
133: if (load_certs(creds, arg, CERT_X509))
134: {
135: has_ca = TRUE;
136: }
137: continue;
138: case 'l':
139: if (load_certs(creds, arg, CERT_X509_CRL))
140: {
141: online = TRUE;
142: }
143: continue;
144: case 'o':
145: online = TRUE;
146: continue;
147: case EOF:
148: break;
149: default:
150: creds->destroy(creds);
151: return command_usage("invalid --verify option");
152: }
153: break;
154: }
155:
156: if (file)
157: {
158: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
159: BUILD_FROM_FILE, file, BUILD_END);
160: }
161: else
162: {
163: chunk_t chunk;
164:
165: set_file_mode(stdin, CERT_ASN1_DER);
166: if (!chunk_from_fd(0, &chunk))
167: {
168: fprintf(stderr, "reading certificate failed: %s\n", strerror(errno));
169: goto end;
170: }
171: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
172: BUILD_BLOB, chunk, BUILD_END);
173: free(chunk.ptr);
174: }
175: if (!cert)
176: {
177: fprintf(stderr, "parsing certificate failed\n");
178: goto end;
179: }
180: cert = creds->add_cert_ref(creds, !has_ca, cert);
181:
182: enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr,
183: KEY_ANY, cert->get_subject(cert), online);
184: if (enumerator->enumerate(enumerator, &cert, &auth))
185: {
186: trusted = TRUE;
187: if (cert->get_validity(cert, NULL, NULL, NULL))
188: {
189: printf("certificate trusted, lifetimes valid");
190: valid = TRUE;
191: }
192: else
193: {
194: printf("certificate trusted, but no valid lifetime");
195: }
196: if (online)
197: {
198: switch ((uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION))
199: {
200: case VALIDATION_GOOD:
201: printf(", certificate not revoked");
202: break;
203: case VALIDATION_SKIPPED:
204: printf(", no revocation information");
205: break;
206: case VALIDATION_STALE:
207: printf(", revocation information stale");
208: break;
209: case VALIDATION_FAILED:
210: printf(", revocation checking failed");
211: break;
212: case VALIDATION_ON_HOLD:
213: printf(", certificate revocation on hold");
214: revoked = TRUE;
215: break;
216: case VALIDATION_REVOKED:
217: printf(", certificate revoked");
218: revoked = TRUE;
219: break;
220: }
221: }
222: printf("\n");
223: }
224: enumerator->destroy(enumerator);
225: cert->destroy(cert);
226:
227: if (!trusted)
228: {
229: printf("certificate untrusted\n");
230: }
231:
232: end:
233: lib->credmgr->remove_set(lib->credmgr, &creds->set);
234: creds->destroy(creds);
235:
236: if (!trusted)
237: {
238: return 1;
239: }
240: if (!valid)
241: {
242: return 2;
243: }
244: if (revoked)
245: {
246: return 3;
247: }
248: return 0;
249: }
250:
251: /**
252: * Register the command.
253: */
254: static void __attribute__ ((constructor))reg()
255: {
256: command_register((command_t) {
257: verify, 'v', "verify",
258: "verify a certificate using the CA certificate",
259: {"[--in file] [--cacert file] [--crl file]"},
260: {
261: {"help", 'h', 0, "show usage information"},
262: {"in", 'i', 1, "X.509 certificate to verify, default: stdin"},
263: {"cacert", 'c', 1, "CA certificate for trustchain verification"},
264: {"crl", 'l', 1, "CRL for trustchain verification"},
265: {"online", 'o', 0, "enable online CRL/OCSP revocation checking"},
266: }
267: });
268: }