OWEALs
/
curl
mirror of https://github.com/curl/curl.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141
							/***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/
#include "test.h"

#include "memdebug.h"

/*
 * Verify correct order of certificates in the chain by comparing the
 * subject and issuer attributes of each certificate.
 */
static bool is_chain_in_order(struct curl_certinfo *cert_info)
{
  char *last_issuer = NULL;
  int cert;

  /* Chains with only a single certificate are always in order */
  if(cert_info->num_of_certs <= 1)
    return 1;

  /* Enumerate each certificate in the chain */
  for(cert = 0; cert < cert_info->num_of_certs; cert++) {
    struct curl_slist *slist = cert_info->certinfo[cert];
    char *issuer = NULL;
    char *subject = NULL;

    /* Find the certificate issuer and subject by enumerating each field */
    for(; slist && (!issuer || !subject); slist = slist->next) {
      const char issuer_prefix[] = "Issuer:";
      const char subject_prefix[] = "Subject:";

      if(!strncmp(slist->data, issuer_prefix, sizeof(issuer_prefix)-1)) {
        issuer = slist->data + sizeof(issuer_prefix)-1;
      }
      if(!strncmp(slist->data, subject_prefix, sizeof(subject_prefix)-1)) {
        subject = slist->data + sizeof(subject_prefix)-1;
      }
    }

    if(subject && issuer) {
      printf("cert %d\n", cert);
      printf("  subject: %s\n", subject);
      printf("  issuer: %s\n", issuer);

      if(last_issuer) {
        /* If the last certificate's issuer matches the current certificate's
         * subject, then the chain is in order */
        if(strcmp(last_issuer, subject) != 0) {
          fprintf(stderr, "cert %d issuer does not match cert %d subject\n",
                  cert - 1, cert);
          fprintf(stderr, "certificate chain is not in order\n");
          return false;
        }
      }
    }

    last_issuer = issuer;
  }

  printf("certificate chain is in order\n");
  return true;
}

static size_t wrfu(void *ptr,  size_t  size,  size_t  nmemb,  void *stream)
{
  (void)stream;
  (void)ptr;
  return size * nmemb;
}

int test(char *URL)
{
  CURL *curl;
  CURLcode res = CURLE_OK;

  if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
    fprintf(stderr, "curl_global_init() failed\n");
    return TEST_ERR_MAJOR_BAD;
  }

  curl = curl_easy_init();
  if(!curl) {
    fprintf(stderr, "curl_easy_init() failed\n");
    curl_global_cleanup();
    return TEST_ERR_MAJOR_BAD;
  }

  /* Set the HTTPS url to retrieve. */
  test_setopt(curl, CURLOPT_URL, URL);

  /* Capture certificate information */
  test_setopt(curl, CURLOPT_CERTINFO, 1L);

  /* Ignore output */
  test_setopt(curl, CURLOPT_WRITEFUNCTION, wrfu);

  /* No peer verify */
  test_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
  test_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);

  /* Perform the request, res will get the return code */
  res = curl_easy_perform(curl);
  if(!res || res == CURLE_GOT_NOTHING) {
    struct curl_certinfo *cert_info = NULL;
    /* Get the certificate information */
    res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &cert_info);
    if(!res) {
      /* Check to see if the certificate chain is ordered correctly */
      if(!is_chain_in_order(cert_info))
        res = TEST_ERR_FAILURE;
    }
  }

test_cleanup:

  /* always cleanup */
  curl_easy_cleanup(curl);
  curl_global_cleanup();

  return res;
}