diff options
| author | Carl Hetherington <cth@carlh.net> | 2017-04-04 23:15:23 +0100 |
|---|---|---|
| committer | Carl Hetherington <cth@carlh.net> | 2017-04-04 23:15:23 +0100 |
| commit | 45fd7558122b679e017eaf9c1f6d10061ada72a8 (patch) | |
| tree | 2cb1f432b5df53a3c9d065c1130ded6076e43fd2 /src | |
| parent | 2525b8babdfe69f81ad873f1a89d914f56174d91 (diff) | |
More error information from CertificateChain::valid.
Diffstat (limited to 'src')
| -rw-r--r-- | src/certificate_chain.cc | 26 | ||||
| -rw-r--r-- | src/certificate_chain.h | 2 |
2 files changed, 23 insertions, 5 deletions
diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc index f06b2c3e..d6b8a7a0 100644 --- a/src/certificate_chain.cc +++ b/src/certificate_chain.cc @@ -402,18 +402,21 @@ CertificateChain::remove (int i) /** Check to see if the chain is valid (i.e. root signs the intermediate, intermediate * signs the leaf and so on) and that the private key (if there is one) matches the * leaf certificate. + * @param valid if non-0 and the CertificateChain is not valid, this is filled in with + * an explanation. * @return true if it's ok, false if not. */ bool -CertificateChain::valid () const +CertificateChain::valid (string* reason) const { /* Check the certificate chain */ X509_STORE* store = X509_STORE_new (); if (!store) { - return false; + throw MiscError ("could not create X509 store"); } + int n = 1; for (List::const_iterator i = _certificates.begin(); i != _certificates.end(); ++i) { List::const_iterator j = i; @@ -424,19 +427,25 @@ CertificateChain::valid () const if (!X509_STORE_add_cert (store, i->x509 ())) { X509_STORE_free (store); + if (reason) { + *reason = "X509_STORE_add_cert failed"; + } return false; } X509_STORE_CTX* ctx = X509_STORE_CTX_new (); if (!ctx) { X509_STORE_free (store); - return false; + throw MiscError ("could not create X509 store context"); } X509_STORE_set_flags (store, 0); - if (!X509_STORE_CTX_init (ctx, store, j->x509 (), 0)) { + if (!X509_STORE_CTX_init (ctx, store, j->x509(), 0)) { X509_STORE_CTX_free (ctx); X509_STORE_free (store); + if (reason) { + *reason = "X509_STORE_CTX_init failed"; + } return false; } @@ -445,8 +454,13 @@ CertificateChain::valid () const if (v == 0) { X509_STORE_free (store); + if (reason) { + *reason = String::compose ("X509_verify_cert failed for certificate number %1", n); + } return false; } + + ++n; } X509_STORE_free (store); @@ -477,6 +491,10 @@ CertificateChain::valid () const #endif BIO_free (bio); + if (!valid && reason) { + *reason = "leaf certificate does not match private key"; + } + return valid; } diff --git a/src/certificate_chain.h b/src/certificate_chain.h index 9d7ab47c..b5954d5b 100644 --- a/src/certificate_chain.h +++ b/src/certificate_chain.h @@ -88,7 +88,7 @@ public: List leaf_to_root () const; List root_to_leaf () const; - bool valid () const; + bool valid (std::string* reason = 0) const; bool attempt_reorder (); void sign (xmlpp::Element* parent, Standard standard) const; |