diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 15:27:44 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-12-26 15:27:44 +0000 |
| commit | 6660baee66e474058229911950e26e56f31fb0bf (patch) | |
| tree | a5d7fda0ea6ae9e85f3bbab82fcd752264932dfa /apps/s_cb.c | |
| parent | 25d4c9254c1ccb2f9974abd9a9fd64ddb14f7832 (diff) | |
Make tls1_check_chain return a set of flags indicating checks passed
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.
Print out results of checks for each candidate chain tested in
s_server/s_client.
(backport from HEAD)
Diffstat (limited to 'apps/s_cb.c')
| -rw-r--r-- | apps/s_cb.c | 47 |
1 files changed, 45 insertions, 2 deletions
diff --git a/apps/s_cb.c b/apps/s_cb.c index f994fbd93b..550fa6cc33 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1136,12 +1136,45 @@ struct ssl_excert_st struct ssl_excert_st *next, *prev; }; +struct chain_flags + { + int flag; + const char *name; + }; + +struct chain_flags chain_flags_list[] = + { + {CERT_PKEY_VALID, "Overall Validity"}, + {CERT_PKEY_SIGN, "Sign with EE key"}, + {CERT_PKEY_EE_SIGNATURE, "EE signature"}, + {CERT_PKEY_CA_SIGNATURE, "CA signature"}, + {CERT_PKEY_EE_PARAM, "EE key parameters"}, + {CERT_PKEY_CA_PARAM, "CA key parameters"}, + {CERT_PKEY_EXPLICIT_SIGN, "Explicity sign with EE key"}, + {CERT_PKEY_ISSUER_NAME, "Issuer Name"}, + {CERT_PKEY_CERT_TYPE, "Certificate Type"}, + {0, NULL} + }; + + +static void print_chain_flags(BIO *out, int flags) + { + struct chain_flags *ctmp = chain_flags_list; + while(ctmp->name) + { + BIO_printf(out, "\t%s: %s\n", ctmp->name, + flags & ctmp->flag ? "OK" : "NOT OK"); + ctmp++; + } + } + /* Very basic selection callback: just use any certificate chain * reported as valid. More sophisticated could prioritise according * to local policy. */ static int set_cert_cb(SSL *ssl, void *arg) { + int i, rv; SSL_EXCERT *exc = arg; SSL_certs_clear(ssl); @@ -1153,10 +1186,20 @@ static int set_cert_cb(SSL *ssl, void *arg) */ while (exc->next) exc = exc->next; - + + i = 0; + while(exc) { - if (SSL_check_chain(ssl, exc->cert, exc->key, exc->chain)) + i++; + rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain); + BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i); + X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0, + XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + + print_chain_flags(bio_err, rv); + if (rv & CERT_PKEY_VALID) { SSL_use_certificate(ssl, exc->cert); SSL_use_PrivateKey(ssl, exc->key); |