diff options
author | Dmitry Belyavskiy <beldmit@gmail.com> | 2017-02-17 02:06:47 +0300 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2017-02-20 19:35:14 -0500 |
commit | ad39b31c1ce0323d6f6ec44842d955f9f2556adf (patch) | |
tree | ad0e978740fbeffe72ae869210ca0e04828e8571 | |
parent | b1498c98f3fb5b8a340acc9ce20b0fd5346294e5 (diff) |
Added '-nameopt' option to the verify command.
It makes possible to print the certificate's DN correctly in case of verification errors.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2656)
-rw-r--r-- | apps/verify.c | 17 | ||||
-rw-r--r-- | doc/man1/verify.pod | 8 |
2 files changed, 22 insertions, 3 deletions
diff --git a/apps/verify.c b/apps/verify.c index bd8349a508..a4eb465739 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -22,12 +22,13 @@ static int check(X509_STORE *ctx, const char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls, int show_chain); static int v_verbose = 0, vflags = 0; +static unsigned long nmflag = 0; typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, - OPT_V_ENUM, + OPT_V_ENUM, OPT_NAMEOPT, OPT_VERBOSE } OPTION_CHOICE; @@ -51,6 +52,7 @@ const OPTIONS verify_options[] = { "Attempt to download CRL information for this certificate"}, {"show_chain", OPT_SHOW_CHAIN, '-', "Display information about the certificate chain"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, OPT_V_OPTIONS, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, @@ -68,6 +70,7 @@ int verify_main(int argc, char **argv) const char *prog, *CApath = NULL, *CAfile = NULL; int noCApath = 0, noCAfile = 0; int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1; + char nmflag_set = 0; OPTION_CHOICE o; if ((vpm = X509_VERIFY_PARAM_new()) == NULL) @@ -149,6 +152,11 @@ int verify_main(int argc, char **argv) case OPT_SHOW_CHAIN: show_chain = 1; break; + case OPT_NAMEOPT: + nmflag_set = 1; + if (!set_name_ex(&nmflag, opt_arg())) + goto end; + break; case OPT_VERBOSE: v_verbose = 1; break; @@ -163,6 +171,9 @@ int verify_main(int argc, char **argv) goto end; } + if (!nmflag_set) + nmflag = XN_FLAG_ONELINE; + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) goto end; X509_STORE_set_verify_cb(store, cb); @@ -242,7 +253,7 @@ static int check(X509_STORE *ctx, const char *file, printf("depth=%d: ", j); X509_NAME_print_ex_fp(stdout, X509_get_subject_name(cert), - 0, XN_FLAG_ONELINE); + 0, nmflag); if (j < num_untrusted) printf(" (untrusted)"); printf("\n"); @@ -271,7 +282,7 @@ static int cb(int ok, X509_STORE_CTX *ctx) if (current_cert) { X509_NAME_print_ex(bio_err, X509_get_subject_name(current_cert), - 0, XN_FLAG_ONELINE); + 0, nmflag); BIO_printf(bio_err, "\n"); } BIO_printf(bio_err, "%serror %d at %d depth lookup: %s\n", diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod index 8ba5ff67e4..36050ece69 100644 --- a/doc/man1/verify.pod +++ b/doc/man1/verify.pod @@ -25,6 +25,7 @@ B<openssl> B<verify> [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] +[B<-nameopt option>] [B<-no_check_time>] [B<-partial_chain>] [B<-policy arg>] @@ -151,6 +152,13 @@ Set policy variable inhibit-any-policy (see RFC5280). Set policy variable inhibit-policy-mapping (see RFC5280). +=item B<-nameopt option> + +option which determines how the subject or issuer names are displayed. The +B<option> argument can be a single option or multiple options separated by +commas. Alternatively the B<-nameopt> switch may be used more than once to +set multiple options. See the L<x509(1)> manual page for details. + =item B<-no_check_time> This option suppresses checking the validity period of certificates and CRLs |