Extend -show_chain option to verify to show more info

The -show_chain flag to the verify command line app shows information about
the chain that has been built. This commit adds the text "untrusted" against
those certificates that have been used from the untrusted list.

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/apps/verify.c b/apps/verify.c
index f6cea31f40096b1c48c57b2d492c74561e26f78b..a823d58a75d648904aa6e1cd4f0de6033635e164 100644 (file)
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -244,6 +244,7 @@ static int check(X509_STORE *ctx, char *file,
     int i = 0, ret = 0;
     X509_STORE_CTX *csc;
     STACK_OF(X509) *chain = NULL;
+    int num_untrusted;
 
     x = load_cert(file, FORMAT_PEM, NULL, e, "certificate file");
     if (x == NULL)
@@ -265,8 +266,10 @@ static int check(X509_STORE *ctx, char *file,
     if (crls)
         X509_STORE_CTX_set0_crls(csc, crls);
     i = X509_verify_cert(csc);
-    if (i > 0 && show_chain)
+    if (i > 0 && show_chain) {
         chain = X509_STORE_CTX_get1_chain(csc);
+        num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);
+    }
     X509_STORE_CTX_free(csc);
 
     ret = 0;
@@ -284,6 +287,9 @@ static int check(X509_STORE *ctx, char *file,
             X509_NAME_print_ex_fp(stdout,
                                   X509_get_subject_name(cert),
                                   0, XN_FLAG_ONELINE);
+            if (i < num_untrusted) {
+                printf(" (untrusted)");
+            }
             printf("\n");
         }
         sk_X509_pop_free(chain, X509_free);

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7222113c683fea05979482b62ff1e40398c11b50..df012ddeb024c76f47d3424b69d55c5428560b97 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2452,6 +2452,11 @@ int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
     return ctx->explicit_policy;
 }
 
+int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
+{
+    return ctx->last_untrusted;
+}
+
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
 {
     const X509_VERIFY_PARAM *param;

diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 242b9ee9fa0a3fd06002e1f428a800533cce9866..9cc7fcb817917b6adba6e53999b2385163d66303 100644 (file)
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -42,6 +42,7 @@ B<openssl> B<verify>
 [B<-verify_ip ip>]
 [B<-verify_name name>]
 [B<-x509_strict>]
+[B<-show_chain>]
 [B<->]
 [certificates]
 
@@ -227,6 +228,12 @@ Supported usages include: default, pkcs7, smime_sign, ssl_client, ssl_server.
 For strict X.509 compliance, disable non-compliant workarounds for broken
 certificates.
 
+=item B<-show_chain>
+
+Display information about the certificate chain that has been built (if
+successful). Certificates in the chain that came from the untrusted list will be
+flagged as "untrusted".
+
 =item B<->
 
 Indicates the last option. All arguments following this are assumed to be
@@ -491,6 +498,6 @@ L<x509(1)|x509(1)>
 
 =head1 HISTORY
 
-The -no_alt_chains options was first added to OpenSSL 1.1.0.
+The -show_chain option was first added to OpenSSL 1.1.0.
 
 =cut

diff --git a/doc/crypto/X509_STORE_CTX_new.pod b/doc/crypto/X509_STORE_CTX_new.pod
index 7c154572ec5446bd8b7fee779c1ad3a11f3d825d..f8907d7ebb40d4f8421d31a00414a2943efe4770 100644 (file)
--- a/doc/crypto/X509_STORE_CTX_new.pod
+++ b/doc/crypto/X509_STORE_CTX_new.pod
@@ -25,6 +25,8 @@ X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_
  void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
  int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
 
+ int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
+
 =head1 DESCRIPTION
 
 These functions initialise an B<X509_STORE_CTX> structure for subsequent use
@@ -76,6 +78,9 @@ X509_STORE_CTX_set_default() looks up and sets the default verification
 method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
 find an appropriate set of parameters from B<name>.
 
+X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
+that were used in building the chain following a call to X509_verify_cert().
+
 =head1 NOTES
 
 The certificates and CRLs in a store are used internally and should B<not>
@@ -116,6 +121,9 @@ values.
 
 X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.
 
+X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
+used.
+
 =head1 SEE ALSO
 
 L<X509_verify_cert(3)|X509_verify_cert(3)>
@@ -124,5 +132,6 @@ L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)>
 =head1 HISTORY
 
 X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0
+X509_STORE_CTX_get_num_untrusted() was first added to OpenSSL 1.1.0
 
 =cut

diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 4ad20296f8818d7eff5b480f05630bbcf7d37f1e..8e0a2254009518f1e2de38d5f6e8bc137768fdfa 100644 (file)
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -528,6 +528,7 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
 
 X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
 int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
+int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
 
 X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);