int verify_callback(int ok, X509_STORE_CTX * ctx) { X509 *err_cert; int err, depth; err_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); depth = X509_STORE_CTX_get_error_depth(ctx); BIO_printf(bio_err, "depth=%d ", depth); if (err_cert) { X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); } else BIO_puts(bio_err, "<no cert>\n"); if (!ok) { BIO_printf(bio_err, "verify error:num=%d:%s\n", err, X509_verify_cert_error_string(err)); if (verify_depth >= depth) { if (!verify_return_error) ok = 1; verify_error = X509_V_OK; } else { ok = 0; verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG; } } switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: BIO_puts(bio_err, "issuer= "); X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err, "notBefore="); ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert)); BIO_printf(bio_err, "\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err, "notAfter="); ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); BIO_printf(bio_err, "\n"); break; case X509_V_ERR_NO_EXPLICIT_POLICY: policies_print(bio_err, ctx); break; } if (err == X509_V_OK && ok == 2) policies_print(bio_err, ctx); BIO_printf(bio_err, "verify return:%d\n", ok); return (ok); }
int verify_callback(int ok, X509_STORE_CTX *ctx) { static int v_verbose = 0; int cert_error = X509_STORE_CTX_get_error(ctx); if (!ok) { X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); if (current_cert) { char buf[256]; X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf, sizeof(buf)); fprintf(stderr, "%s\n", buf); } { int error_depth = X509_STORE_CTX_get_error_depth(ctx); const char *error_msg = X509_verify_cert_error_string(cert_error); // FIXME(jweyrich): not thread-safe fprintf(stderr, "%sError %d at %d depth lookup: %s\n", #if OPENSSL_VERSION_NUMBER >= 0x1000000f X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "", #else "", #endif cert_error, error_depth, error_msg); } switch (cert_error) { case X509_V_ERR_NO_EXPLICIT_POLICY: policies_print(NULL, ctx); case X509_V_ERR_CERT_HAS_EXPIRED: // Since we are just checking the certificates, it is // ok if they are self signed. But we should still warn // the user. case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: // Continue after extension errors too case X509_V_ERR_INVALID_CA: case X509_V_ERR_INVALID_NON_CA: case X509_V_ERR_PATH_LENGTH_EXCEEDED: case X509_V_ERR_INVALID_PURPOSE: case X509_V_ERR_CRL_HAS_EXPIRED: case X509_V_ERR_CRL_NOT_YET_VALID: case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: ok = 1; } return ok; } if (cert_error == X509_V_OK && ok == 2) policies_print(NULL, ctx); if (!v_verbose) ERR_clear_error(); return ok; }