diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2018-12-16 11:56:54 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2018-12-16 11:56:54 +0000 |
| commit | 985dd453ad68fcf8d52e793a1aab243a5e707977 (patch) | |
| tree | 82c9f7f71e2c49e7e7510e5b823176d18cfc3639 /lib/libcrypto | |
| parent | c1a778871e22cd85eadb6da91143cf2ccfc1098a (diff) | |
Add a check that libressl is actually able to verify CA certs.
Skip outputting them if invalid (e.g. GENERALIZEDTIME date before 2050).
Diffstat (limited to 'lib/libcrypto')
| -rw-r--r-- | lib/libcrypto/format-pem.pl | 40 |
1 files changed, 28 insertions, 12 deletions
diff --git a/lib/libcrypto/format-pem.pl b/lib/libcrypto/format-pem.pl index 556178eb30f..6134d656b74 100644 --- a/lib/libcrypto/format-pem.pl +++ b/lib/libcrypto/format-pem.pl @@ -1,5 +1,5 @@ #!/usr/bin/perl -# $OpenBSD: format-pem.pl,v 1.2 2018/03/21 15:23:53 sthen Exp $ +# $OpenBSD: format-pem.pl,v 1.3 2018/12/16 11:56:53 sthen Exp $ # # Copyright (c) 2016 Stuart Henderson <sthen@openbsd.org> # @@ -46,9 +46,6 @@ while(<>) { my $subj = `openssl x509 -in $t -noout -subject`; $subj =~ s/^subject= (.*)\n/$1/; - print STDERR "'$subj' not self-signed" - if ($issuer ne $subj); - my $o = `openssl x509 -in $t -noout -nameopt sep_multiline,use_quote,esc_msb -subject`; if ($o =~ /O=/) { $o =~ s/.*O=([^\n]*).*/$1/sm; @@ -56,6 +53,18 @@ while(<>) { $o = $subj; } + if (defined $ca{$o}{$subj}) { + print STDERR "ERROR: '$subj': duplicate\n"; + $ca{$o}{$subj}{'valid'} = 0; + } + + $ca{$o}{$subj}{'valid'} = 1; + + if ($issuer ne $subj) { + print STDERR "ERROR: '$subj' not self-signed"; + $ca{$o}{$subj}{'valid'} = 0; + } + if (eval {require Date::Parse;1;}) { my $startdate = `openssl x509 -in $t -startdate -noout`; my $enddate = `openssl x509 -in $t -enddate -noout`; @@ -65,12 +74,14 @@ while(<>) { my $endtime = str2time($enddate); if ($starttime > time) { - print STDERR "'$subj' not valid yet\n" + print STDERR "ERROR: '$subj' not valid yet\n"; + $ca{$o}{$subj}{'valid'} = 0; } if ($endtime < time) { - print STDERR "'$subj' expired on $startdate\n" + print STDERR "ERROR: '$subj' expired on $startdate\n"; + $ca{$o}{$subj}{'valid'} = 0; } elsif ($endtime < time + 86400 * 365 * 2) { - print STDERR "'$subj' expires on $enddate\n" + print STDERR "WARNING: '$subj' expires on $enddate\n"; } } @@ -78,8 +89,10 @@ while(<>) { $info .= qx/openssl x509 -in $t -fingerprint -sha256 -noout/; my $cert = qx/openssl x509 -in $t/; - if (defined $ca{$o}{$subj}) { - print STDERR "'$subj': duplicate\n"; + my $verify = qx/openssl verify -CAfile $t $t 2>&1/; + if (not $verify =~ /^$t: OK$/) { + print STDERR "ERROR: '$subj' cannot be verified with libressl\n---\n$verify---\n"; + $ca{$o}{$subj}{'valid'} = 0; } $ca{$o}{$subj}{'subj'} = $subj; @@ -92,13 +105,16 @@ while(<>) { } close $tmp; +chomp $rcsid; print $rcsid; foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) { print "\n### $o\n\n"; foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) { - print "=== $subj\n"; - print $ca{$o}{$subj}{'info'}; - print $ca{$o}{$subj}{'cert'}; + if ($ca{$o}{$subj}{'valid'} == 1) { + print "=== $subj\n"; + print $ca{$o}{$subj}{'info'}; + print $ca{$o}{$subj}{'cert'}; + } } } |