246 lines
6.8 KiB
C
246 lines
6.8 KiB
C
/**
|
|
* @file certValidate.c
|
|
* @version $Format:%h%d$
|
|
*
|
|
* Standalone certificate parsing and chain validation test.
|
|
*/
|
|
/*
|
|
* Copyright (c) 2013-2016 INSIDE Secure Corporation
|
|
* Copyright (c) PeerSec Networks, 2002-2011
|
|
* All Rights Reserved
|
|
*
|
|
* The latest version of this code is available at http://www.matrixssl.org
|
|
*
|
|
* This software is open source; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This General Public License does NOT permit incorporating this software
|
|
* into proprietary programs. If you are unable to comply with the GPL, a
|
|
* commercial license for this software may be purchased from INSIDE at
|
|
* http://www.insidesecure.com/
|
|
*
|
|
* This program is distributed in WITHOUT ANY WARRANTY; without even the
|
|
* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
* See the GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
* http://www.gnu.org/copyleft/gpl.html
|
|
*/
|
|
/******************************************************************************/
|
|
|
|
#include "matrixssl/matrixsslApi.h"
|
|
|
|
/****************************** Local Functions *******************************/
|
|
|
|
#if ((!defined USE_ONLY_PSK_CIPHER_SUITE) && (defined MATRIX_USE_FILE_SYSTEM))
|
|
|
|
static void usage(void)
|
|
{
|
|
printf("usage: certValidate <rootcert> <certchain> <expectedsubject>\n"
|
|
" <rootcert> PEM file containing one or more trusted root certs\n"
|
|
" If specified as NULL, no root certs will be loaded\n"
|
|
" <certchain> PEM file containing cert chain to validate\n"
|
|
" <subject> Name (usually DNS name) to match to certchain subject\n"
|
|
" If specified as NULL, subject will not be validated\n"
|
|
);
|
|
}
|
|
|
|
static char *flagstostr(int flags)
|
|
{
|
|
static char f[80]; /* Not reentrant, but good enough for this test */
|
|
char *s = f;
|
|
|
|
if (flags) {
|
|
s += sprintf(s, " (");
|
|
if (flags & PS_CERT_AUTH_FAIL_KEY_USAGE_FLAG) {
|
|
s += sprintf(s, "KEY_USAGE ");
|
|
}
|
|
if (flags & PS_CERT_AUTH_FAIL_EKU_FLAG) {
|
|
s += sprintf(s, "EXTENDED_KEY_USAGE ");
|
|
}
|
|
if (flags & PS_CERT_AUTH_FAIL_SUBJECT_FLAG) {
|
|
s += sprintf(s, "SUBJECT ");
|
|
}
|
|
if (flags & PS_CERT_AUTH_FAIL_DATE_FLAG) {
|
|
s += sprintf(s, "DATE ");
|
|
}
|
|
sprintf(s, ")");
|
|
return f;
|
|
}
|
|
return "";
|
|
}
|
|
|
|
static char *errtostr(int rc)
|
|
{
|
|
static char e[80]; /* Not reentrant, but good enough for this test */
|
|
|
|
switch (rc) {
|
|
case 0:
|
|
case PS_CERT_AUTH_PASS:
|
|
return "PASS";
|
|
break;
|
|
case PS_CERT_AUTH_FAIL_BC:
|
|
return "FAIL Basic Constraints";
|
|
break;
|
|
case PS_CERT_AUTH_FAIL_DN:
|
|
return "FAIL Distinguished Name Match";
|
|
break;
|
|
case PS_CERT_AUTH_FAIL_SIG:
|
|
return "FAIL Signature Validation";
|
|
break;
|
|
case PS_CERT_AUTH_FAIL_REVOKED:
|
|
return "FAIL Certificate Revoked";
|
|
break;
|
|
case PS_CERT_AUTH_FAIL:
|
|
return "FAIL Authentication Fail";
|
|
break;
|
|
case PS_CERT_AUTH_FAIL_EXTENSION:
|
|
return "FAIL Extension";
|
|
break;
|
|
case PS_CERT_AUTH_FAIL_PATH_LEN:
|
|
return "FAIL Path Length";
|
|
break;
|
|
case PS_CERT_AUTH_FAIL_AUTHKEY:
|
|
return "FAIL Auth Key / Subject Key Match";
|
|
break;
|
|
default:
|
|
sprintf(e, "FAIL %d", rc);
|
|
return e;
|
|
}
|
|
}
|
|
|
|
/******************************************************************************/
|
|
/*
|
|
Certificate validation test
|
|
*/
|
|
int32 main(int32 argc, char **argv)
|
|
{
|
|
psX509Cert_t *trusted, *chain, *cert;
|
|
psPool_t *pool;
|
|
int32 rc, i;
|
|
uint32 faildate, flags, depth;
|
|
|
|
rc = -1;
|
|
faildate = 0;
|
|
pool = NULL;
|
|
trusted = chain = NULL;
|
|
|
|
if (argc != 4) {
|
|
usage();
|
|
return -1;
|
|
}
|
|
|
|
if ((rc = matrixSslOpen()) < 0) {
|
|
_psTrace("MatrixSSL library init failure. Exiting\n");
|
|
return rc;
|
|
}
|
|
|
|
if (strcmp(argv[1], "NULL") != 0) {
|
|
if ((rc = psX509ParseCertFile(pool, argv[1], &trusted, 0)) < 0) {
|
|
if (rc == PS_PLATFORM_FAIL) {
|
|
printf("FAIL open file %s %d\n", argv[1], rc);
|
|
} else {
|
|
printf("FAIL parse %s %d\n", argv[1], rc);
|
|
}
|
|
goto L_EXIT;
|
|
}
|
|
printf(" Loaded root file %s\n", argv[1]);
|
|
for (cert = trusted, i = 0; cert != NULL; cert = cert->next, i++) {
|
|
printf(" [%d]:%s\n", i, cert->subject.commonName);
|
|
psAssert(cert->authStatus == 0);
|
|
faildate |= cert->authFailFlags & PS_CERT_AUTH_FAIL_DATE_FLAG;
|
|
psAssert((cert->authFailFlags & ~faildate) == 0);
|
|
}
|
|
}
|
|
|
|
if ((rc = psX509ParseCertFile(pool, argv[2], &chain, 0)) < 0) {
|
|
if (rc == PS_PLATFORM_FAIL) {
|
|
printf("FAIL open file %s %d\n", argv[2], rc);
|
|
} else {
|
|
printf("FAIL parse %s %d\n", argv[2], rc);
|
|
}
|
|
goto L_EXIT;
|
|
}
|
|
printf(" Loaded chain file %s\n", argv[2]);
|
|
for (cert = chain, i = 0; cert != NULL; cert = cert->next, i++) {
|
|
printf(" [%d]:%s\n", i, cert->subject.commonName);
|
|
psAssert(cert->authStatus == 0);
|
|
faildate |= cert->authFailFlags & PS_CERT_AUTH_FAIL_DATE_FLAG;
|
|
psAssert((cert->authFailFlags & ~faildate) == 0);
|
|
}
|
|
|
|
if (strcmp(argv[3], "NULL") != 0) {
|
|
if (psX509ValidateGeneralName(argv[3]) < 0) {
|
|
printf("FAIL validate general name %s\n", argv[3]);
|
|
goto L_EXIT;
|
|
}
|
|
rc = matrixValidateCerts(pool, chain, trusted, argv[3], &cert, NULL,
|
|
NULL);
|
|
} else {
|
|
printf("WARN subject not validated\n");
|
|
rc = matrixValidateCerts(pool, chain, trusted, NULL, &cert, NULL, NULL);
|
|
}
|
|
if (rc < 0) {
|
|
printf("%s\n", errtostr(rc));
|
|
for (cert = chain, i = 0; cert != NULL; cert = cert->next, i++) {
|
|
printf(" Validate:%s[%d]:%s FAIL %d, status=%d, flags=%u\n",
|
|
argv[2], i, cert->subject.commonName, rc,
|
|
cert->authStatus, cert->authFailFlags);
|
|
if (cert->authStatus != PS_CERT_AUTH_PASS) {
|
|
printf(" authStatus %s\n", errtostr(cert->authStatus));
|
|
}
|
|
if (cert->authFailFlags) {
|
|
printf(" authFailFlags %s\n", flagstostr(cert->authFailFlags));
|
|
}
|
|
}
|
|
goto L_EXIT;
|
|
}
|
|
/* If faildate is set and we don't have an error in rc... */
|
|
psAssert(faildate == 0);
|
|
|
|
flags = depth = 0;
|
|
printf(" Validate %s:%s rc %d\n", argv[2], cert->subject.commonName, rc);
|
|
for (cert = chain, i = 0; cert != NULL; cert = cert->next, i++) {
|
|
printf(" [%d] authStatus=%d, authFailFlags=%u\n",
|
|
i, cert->authStatus, cert->authFailFlags);
|
|
if (cert->authStatus != PS_CERT_AUTH_PASS) {
|
|
depth = i;
|
|
rc = cert->authStatus;
|
|
flags |= cert->authFailFlags;
|
|
} else {
|
|
psAssert(cert->authFailFlags == 0);
|
|
}
|
|
}
|
|
if (rc < 0) {
|
|
printf("%s%s in %s[%d]\n", errtostr(rc), flagstostr(flags),
|
|
argv[2], depth);
|
|
goto L_EXIT;
|
|
}
|
|
printf("PASS\n");
|
|
rc = 0;
|
|
|
|
L_EXIT:
|
|
if (trusted) psX509FreeCert(trusted);
|
|
if (chain) psX509FreeCert(chain);
|
|
matrixSslClose();
|
|
|
|
return rc;
|
|
}
|
|
|
|
#else
|
|
|
|
int32 main(int32 argc, char **argv)
|
|
{
|
|
printf("Not applicable when USE_ONLY_PSK_CIPHER_SUITE defined\n");
|
|
return 0;
|
|
}
|
|
|
|
#endif /* USE_ONLY_PSK_CIPHER_SUITE */
|
|
|
|
/******************************************************************************/
|
|
|