2
0

dec.c 7.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248
  1. /* crypto/pkcs7/verify.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <stdio.h>
  59. #include <stdlib.h>
  60. #include <string.h>
  61. #include <openssl/bio.h>
  62. #include <openssl/x509.h>
  63. #include <openssl/pem.h>
  64. #include <openssl/err.h>
  65. #include <openssl/asn1.h>
  66. int verify_callback(int ok, X509_STORE_CTX *ctx);
  67. BIO *bio_err=NULL;
  68. int main(argc,argv)
  69. int argc;
  70. char *argv[];
  71. {
  72. char *keyfile=NULL;
  73. BIO *in;
  74. EVP_PKEY *pkey;
  75. X509 *x509;
  76. PKCS7 *p7;
  77. PKCS7_SIGNER_INFO *si;
  78. X509_STORE_CTX cert_ctx;
  79. X509_STORE *cert_store=NULL;
  80. BIO *data,*detached=NULL,*p7bio=NULL;
  81. char buf[1024*4];
  82. unsigned char *pp;
  83. int i,printit=0;
  84. STACK_OF(PKCS7_SIGNER_INFO) *sk;
  85. OpenSSL_add_all_algorithms();
  86. bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
  87. data=BIO_new(BIO_s_file());
  88. pp=NULL;
  89. while (argc > 1)
  90. {
  91. argc--;
  92. argv++;
  93. if (strcmp(argv[0],"-p") == 0)
  94. {
  95. printit=1;
  96. }
  97. else if ((strcmp(argv[0],"-k") == 0) && (argc >= 2)) {
  98. keyfile = argv[1];
  99. argc-=1;
  100. argv+=1;
  101. } else if ((strcmp(argv[0],"-d") == 0) && (argc >= 2))
  102. {
  103. detached=BIO_new(BIO_s_file());
  104. if (!BIO_read_filename(detached,argv[1]))
  105. goto err;
  106. argc-=1;
  107. argv+=1;
  108. }
  109. else break;
  110. }
  111. if (!BIO_read_filename(data,argv[0])) goto err;
  112. if(!keyfile) {
  113. fprintf(stderr, "No private key file specified\n");
  114. goto err;
  115. }
  116. if ((in=BIO_new_file(keyfile,"r")) == NULL) goto err;
  117. if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
  118. BIO_reset(in);
  119. if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL)
  120. goto err;
  121. BIO_free(in);
  122. if (pp == NULL)
  123. BIO_set_fp(data,stdin,BIO_NOCLOSE);
  124. /* Load the PKCS7 object from a file */
  125. if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL,NULL)) == NULL) goto err;
  126. /* This stuff is being setup for certificate verification.
  127. * When using SSL, it could be replaced with a
  128. * cert_stre=SSL_CTX_get_cert_store(ssl_ctx); */
  129. cert_store=X509_STORE_new();
  130. X509_STORE_set_default_paths(cert_store);
  131. X509_STORE_load_locations(cert_store,NULL,"../../certs");
  132. X509_STORE_set_verify_cb_func(cert_store,verify_callback);
  133. ERR_clear_error();
  134. /* We need to process the data */
  135. /* We cannot support detached encryption */
  136. p7bio=PKCS7_dataDecode(p7,pkey,detached,x509);
  137. if (p7bio == NULL)
  138. {
  139. printf("problems decoding\n");
  140. goto err;
  141. }
  142. /* We now have to 'read' from p7bio to calculate digests etc. */
  143. for (;;)
  144. {
  145. i=BIO_read(p7bio,buf,sizeof(buf));
  146. /* print it? */
  147. if (i <= 0) break;
  148. fwrite(buf,1, i, stdout);
  149. }
  150. /* We can now verify signatures */
  151. sk=PKCS7_get_signer_info(p7);
  152. if (sk == NULL)
  153. {
  154. fprintf(stderr, "there are no signatures on this data\n");
  155. }
  156. else
  157. {
  158. /* Ok, first we need to, for each subject entry,
  159. * see if we can verify */
  160. ERR_clear_error();
  161. for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
  162. {
  163. si=sk_PKCS7_SIGNER_INFO_value(sk,i);
  164. i=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si);
  165. if (i <= 0)
  166. goto err;
  167. else
  168. fprintf(stderr,"Signature verified\n");
  169. }
  170. }
  171. X509_STORE_free(cert_store);
  172. exit(0);
  173. err:
  174. ERR_load_crypto_strings();
  175. ERR_print_errors_fp(stderr);
  176. exit(1);
  177. }
  178. /* should be X509 * but we can just have them as char *. */
  179. int verify_callback(int ok, X509_STORE_CTX *ctx)
  180. {
  181. char buf[256];
  182. X509 *err_cert;
  183. int err,depth;
  184. err_cert=X509_STORE_CTX_get_current_cert(ctx);
  185. err= X509_STORE_CTX_get_error(ctx);
  186. depth= X509_STORE_CTX_get_error_depth(ctx);
  187. X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
  188. BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
  189. if (!ok)
  190. {
  191. BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
  192. X509_verify_cert_error_string(err));
  193. if (depth < 6)
  194. {
  195. ok=1;
  196. X509_STORE_CTX_set_error(ctx,X509_V_OK);
  197. }
  198. else
  199. {
  200. ok=0;
  201. X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG);
  202. }
  203. }
  204. switch (ctx->error)
  205. {
  206. case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
  207. X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
  208. BIO_printf(bio_err,"issuer= %s\n",buf);
  209. break;
  210. case X509_V_ERR_CERT_NOT_YET_VALID:
  211. case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
  212. BIO_printf(bio_err,"notBefore=");
  213. ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
  214. BIO_printf(bio_err,"\n");
  215. break;
  216. case X509_V_ERR_CERT_HAS_EXPIRED:
  217. case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
  218. BIO_printf(bio_err,"notAfter=");
  219. ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
  220. BIO_printf(bio_err,"\n");
  221. break;
  222. }
  223. BIO_printf(bio_err,"verify return:%d\n",ok);
  224. return(ok);
  225. }