Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allows wolfclu to verify a cert chain of more than 2 certs.
Browse files Browse the repository at this point in the history
anhu committed Dec 4, 2024
1 parent e5d463a commit f3e2041
Showing 1 changed file with 12 additions and 26 deletions.
38 changes: 12 additions & 26 deletions src/sign-verify/clu_x509_verify.c
Original file line number Diff line number Diff line change
@@ -56,8 +56,7 @@ int wolfCLU_x509Verify(int argc, char** argv)
int option;
char* caCert = NULL;
char* verifyCert = NULL;
WOLFSSL_X509_STORE* store = NULL;
WOLFSSL_X509_LOOKUP* lookup = NULL;
WOLFSSL_CERT_MANAGER* cm = NULL;

/* last parameter is the certificate to verify */
if (XSTRNCMP("-h", argv[argc-1], 2) == 0) {
@@ -117,13 +116,6 @@ int wolfCLU_x509Verify(int argc, char** argv)
}
}

if (ret == WOLFCLU_SUCCESS) {
store = wolfSSL_X509_STORE_new();
if (store == NULL) {
ret = WOLFCLU_FATAL_ERROR;
}
}

if (ret == WOLFCLU_SUCCESS) {
if (inForm != PEM_FORM) {
wolfCLU_LogError("Only handling PEM CA files");
@@ -132,22 +124,18 @@ int wolfCLU_x509Verify(int argc, char** argv)
}

if (ret == WOLFCLU_SUCCESS) {
lookup = wolfSSL_X509_STORE_add_lookup(store,
wolfSSL_X509_LOOKUP_file());
if (lookup == NULL) {
wolfCLU_LogError("Failed to setup lookup");
cm = wolfSSL_CertManagerNew();
if (cm == NULL) {
ret = WOLFCLU_FATAL_ERROR;
}
}

/* Confirm CA file is root CA unless partialChain enabled */
if (ret == WOLFCLU_SUCCESS){
if (!partialChain && caCert != NULL){
if (ret == WOLFCLU_SUCCESS) {
if (!partialChain && caCert != NULL) {
int error;

error = wolfSSL_CertManagerVerify(store->cm, caCert,
WOLFSSL_FILETYPE_PEM);

error = wolfSSL_CertManagerVerify(cm, caCert, WOLFSSL_FILETYPE_PEM);
if (error != ASN_SELF_SIGNED_E) {
wolfCLU_LogError("CA file is not root CA");
ret = WOLFCLU_FATAL_ERROR;
@@ -168,8 +156,7 @@ int wolfCLU_x509Verify(int argc, char** argv)
}

if (ret == WOLFCLU_SUCCESS && caCert != NULL) {
if (wolfSSL_X509_LOOKUP_load_file(lookup, caCert, X509_FILETYPE_PEM)
!= WOLFSSL_SUCCESS) {
if (wolfSSL_CertManagerLoadCA(cm, caCert, NULL) != WOLFSSL_SUCCESS) {
wolfCLU_LogError("Failed to load CA file");
ret = WOLFCLU_FATAL_ERROR;
}
@@ -179,14 +166,14 @@ int wolfCLU_x509Verify(int argc, char** argv)
#ifdef HAVE_CRL
if (ret == WOLFCLU_SUCCESS) {
if (crlCheck) {
if (wolfSSL_CertManagerEnableCRL(store->cm, WOLFSSL_CRL_CHECKALL)
if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL)
!= WOLFSSL_SUCCESS) {
wolfCLU_LogError("Failed to enable CRL use");
ret = WOLFCLU_FATAL_ERROR;
}
}
else {
if (wolfSSL_CertManagerDisableCRL(store->cm) != WOLFSSL_SUCCESS) {
if (wolfSSL_CertManagerDisableCRL(cm) != WOLFSSL_SUCCESS) {
wolfCLU_LogError("Failed to disable CRL use");
ret = WOLFCLU_FATAL_ERROR;
}
@@ -197,11 +184,10 @@ int wolfCLU_x509Verify(int argc, char** argv)
if (ret == WOLFCLU_SUCCESS) {
int err;

err = wolfSSL_CertManagerVerify(store->cm, verifyCert,
WOLFSSL_FILETYPE_PEM);
err = wolfSSL_CertManagerVerify(cm, verifyCert, WOLFSSL_FILETYPE_PEM);
if (err == ASN_NO_PEM_HEADER) {
/* most likely the file was DER if PEM header not found */
err = wolfSSL_CertManagerVerify(store->cm, verifyCert,
err = wolfSSL_CertManagerVerify(cm, verifyCert,
WOLFSSL_FILETYPE_ASN1);
}
if (err != WOLFSSL_SUCCESS) {
@@ -214,7 +200,7 @@ int wolfCLU_x509Verify(int argc, char** argv)
}
}

wolfSSL_X509_STORE_free(store);
wolfSSL_CertManagerFree(cm);
(void)crlCheck;
return ret;
#else

0 comments on commit f3e2041

Please sign in to comment.