cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-03 20:22:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

ca_path and ca_file arguments added to support chain validation in

Browse Source 
cert_app
This commit is contained in:
Paul Bakker 2013-05-21 16:20:04 +02:00
parent f6a19bd728
commit 777a5757d6
1 changed files with 123 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
programs/x509/cert_app.c
View File

@ -45,6 +45,8 @@
#define DFL_MODE MODE_NONE #define DFL_MODE MODE_NONE
#define DFL_FILENAME "cert.crt" #define DFL_FILENAME "cert.crt"
#define DFL_CA_FILE ""
#define DFL_CA_PATH ""
#define DFL_SERVER_NAME "localhost" #define DFL_SERVER_NAME "localhost"
#define DFL_SERVER_PORT 4433 #define DFL_SERVER_PORT 4433
#define DFL_DEBUG_LEVEL 0 #define DFL_DEBUG_LEVEL 0
@ -57,6 +59,8 @@ struct options
{ {
int mode; /* the mode to run the application in */ int mode; /* the mode to run the application in */
char *filename; /* filename of the certificate file */ char *filename; /* filename of the certificate file */
char *ca_file; /* the file with the CA certificate(s) */
char *ca_path; /* the path with the CA certificate(s) reside */
char *server_name; /* hostname of the server (client only) */ char *server_name; /* hostname of the server (client only) */
int server_port; /* port on which the ssl service runs */ int server_port; /* port on which the ssl service runs */
int debug_level; /* level of debugging */ int debug_level; /* level of debugging */
@ -72,11 +76,54 @@ void my_debug( void *ctx, int level, const char *str )
} }
} }
int my_verify( void *data, x509_cert *crt, int depth, int *flags )
{
char buf[1024];
((void) data);
printf( "\nVerify requested for (Depth %d):\n", depth );
x509parse_cert_info( buf, sizeof( buf ) - 1, "", crt );
printf( "%s", buf );
if( ( (*flags) & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( (*flags) & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( (*flags) & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch\n" );
if( ( (*flags) & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
if( ( (*flags) & BADCRL_NOT_TRUSTED ) != 0 )
printf( " ! CRL not trusted\n" );
if( ( (*flags) & BADCRL_EXPIRED ) != 0 )
printf( " ! CRL expired\n" );
if( ( (*flags) & BADCERT_OTHER ) != 0 )
printf( " ! other (unknown) flag\n" );
if ( ( *flags ) == 0 )
printf( " This certificate has no flags\n" );
return( 0 );
}
#define USAGE_IO \
" ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
" default: \"\" (none)\n" \
" ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \
" default: \"\" (none) (overrides ca_file)\n"
#define USAGE \ #define USAGE \
"\n usage: cert_app param=<>...\n" \ "\n usage: cert_app param=<>...\n" \
"\n acceptable parameters:\n" \ "\n acceptable parameters:\n" \
" mode=file|ssl default: none\n" \ " mode=file|ssl default: none\n" \
" filename=%%s default: cert.crt\n" \ " filename=%%s default: cert.crt\n" \
USAGE_IO \
" server_name=%%s default: localhost\n" \ " server_name=%%s default: localhost\n" \
" server_port=%%d default: 4433\n" \ " server_port=%%d default: 4433\n" \
" debug_level=%%d default: 0 (disabled)\n" \ " debug_level=%%d default: 0 (disabled)\n" \
@ -108,9 +155,11 @@ int main( int argc, char *argv[] )
entropy_context entropy; entropy_context entropy;
ctr_drbg_context ctr_drbg; ctr_drbg_context ctr_drbg;
ssl_context ssl; ssl_context ssl;
x509_cert cacert;
x509_cert clicert; x509_cert clicert;
rsa_context rsa; rsa_context rsa;
int i, j, n; int i, j, n;
int flags, verify = 0;
char *p, *q; char *p, *q;
char *pers = "cert_app"; char *pers = "cert_app";
@ -118,6 +167,7 @@ int main( int argc, char *argv[] )
* Set to sane values * Set to sane values
*/ */
server_fd = 0; server_fd = 0;
memset( &cacert, 0, sizeof( x509_cert ) );
memset( &clicert, 0, sizeof( x509_cert ) ); memset( &clicert, 0, sizeof( x509_cert ) );
memset( &rsa, 0, sizeof( rsa_context ) ); memset( &rsa, 0, sizeof( rsa_context ) );
@ -130,6 +180,8 @@ int main( int argc, char *argv[] )
opt.mode = DFL_MODE; opt.mode = DFL_MODE;
opt.filename = DFL_FILENAME; opt.filename = DFL_FILENAME;
opt.ca_file = DFL_CA_FILE;
opt.ca_path = DFL_CA_PATH;
opt.server_name = DFL_SERVER_NAME; opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT; opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL; opt.debug_level = DFL_DEBUG_LEVEL;
@ -161,6 +213,10 @@ int main( int argc, char *argv[] )
} }
else if( strcmp( p, "filename" ) == 0 ) else if( strcmp( p, "filename" ) == 0 )
opt.filename = q; opt.filename = q;
else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 )
opt.ca_path = q;
else if( strcmp( p, "server_name" ) == 0 ) else if( strcmp( p, "server_name" ) == 0 )
opt.server_name = q; opt.server_name = q;
else if( strcmp( p, "server_port" ) == 0 ) else if( strcmp( p, "server_port" ) == 0 )
@ -185,6 +241,31 @@ int main( int argc, char *argv[] )
goto usage; goto usage;
} }
/*
* 1.1. Load the trusted CA
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
if( strlen( opt.ca_path ) )
{
ret = x509parse_crtpath( &cacert, opt.ca_path );
verify = 1;
}
else if( strlen( opt.ca_file ) )
{
ret = x509parse_crtfile( &cacert, opt.ca_file );
verify = 1;
}
if( ret < 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
if( opt.mode == MODE_FILE ) if( opt.mode == MODE_FILE )
{ {
x509_cert crt; x509_cert crt;
@ -215,7 +296,6 @@ int main( int argc, char *argv[] )
printf( " ok\n" ); printf( " ok\n" );
/* /*
* 1.2 Print the certificate(s) * 1.2 Print the certificate(s)
*/ */
@ -235,6 +315,36 @@ int main( int argc, char *argv[] )
cur = cur->next; cur = cur->next;
} }
/*
* 1.3 Verify the certificate
*/
if( verify )
{
printf( " . Verifying X.509 certificate..." );
if( ( ret = x509parse_verify( &crt, &cacert, NULL, NULL, &flags,
my_verify, NULL ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
}
x509_free( &crt ); x509_free( &crt );
} }
else if( opt.mode == MODE_SSL ) else if( opt.mode == MODE_SSL )
@ -253,6 +363,8 @@ int main( int argc, char *argv[] )
goto exit; goto exit;
} }
printf( " ok\n" );
/* /*
* 2. Start the connection * 2. Start the connection
*/ */
@ -277,7 +389,14 @@ int main( int argc, char *argv[] )
} }
ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); if( verify )
{
ssl_set_authmode( &ssl, SSL_VERIFY_REQUIRED );
ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
ssl_set_verify( &ssl, my_verify, NULL );
}
else
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_dbg( &ssl, my_debug, stdout );
@ -328,6 +447,7 @@ exit:
if( server_fd ) if( server_fd )
net_close( server_fd ); net_close( server_fd );
x509_free( &cacert );
x509_free( &clicert ); x509_free( &clicert );
rsa_free( &rsa ); rsa_free( &rsa );