/** * Check if X509Cert is signed by trusted issuer * @return 0 or openssl error_code. Get human readable cause with X509_verify_cert_error_string(code) * @throw IOException if error */ int digidoc::X509Cert::verify() const throw(IOException) { X509_STORE_CTX *csc = X509_STORE_CTX_new(); X509_STORE_CTX_scope csct(&csc); if (!csc) THROW_IOEXCEPTION("Failed to create X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error())); X509_STORE *store = digidoc::X509CertStore::getInstance()->getCertStore(); X509* x = getX509(); X509_scope xt(&x); if(!X509_STORE_CTX_init(csc, store, x, NULL)) THROW_IOEXCEPTION("Failed to init X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error())); int ok = X509_verify_cert(csc); if(!ok) { int err = X509_STORE_CTX_get_error(csc); X509Cert cause(X509_STORE_CTX_get_current_cert (csc)); std::ostringstream s; s << "Unable to verify " << cause.getSubject(); s << ". Cause: " << X509_verify_cert_error_string(err); switch(err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: { IOException e(__FILE__, __LINE__, s.str()); e.setCode( Exception::CertificateIssuerMissing ); throw e; break; } default: THROW_IOEXCEPTION(s.str().c_str()); break; } } return ok; }
bool bdoc::X509Cert::verify(X509_STORE* aStore, struct tm* tm) const { if (aStore == NULL) { THROW_STACK_EXCEPTION("Invalid argument to verify"); } X509_STORE* store = aStore; X509_STORE** ppStore = NULL; X509_STORE_scope xst(ppStore); X509_STORE_CTX *csc = X509_STORE_CTX_new(); X509_STORE_CTX_scope csct(&csc); if (csc == NULL) { THROW_STACK_EXCEPTION("Failed to create X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error())); } X509* x = getX509(); X509_scope xt(&x); if (!X509_STORE_CTX_init(csc, store, x, NULL)) { THROW_STACK_EXCEPTION("Failed to init X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error())); } if (tm != NULL) { time_t t = timegm(tm); if (t == -1) { THROW_STACK_EXCEPTION("Given time cannot be represented as calendar time"); } X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(csc); if (param == NULL) { THROW_STACK_EXCEPTION("Failed to retrieve X509_STORE_CTX verification parameters %s", ERR_reason_error_string(ERR_get_error())); } X509_VERIFY_PARAM_set_time(param, t); } int ok = X509_verify_cert(csc); if (ok != 1) { int err = X509_STORE_CTX_get_error(csc); X509Cert cause(X509_STORE_CTX_get_current_cert (csc)); std::ostringstream s; s << "Unable to verify " << cause.getSubject(); s << ". Cause: " << X509_verify_cert_error_string(err); switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: { THROW_STACK_EXCEPTION("Certificate issuer missing: %s", s.str().c_str()); } default: THROW_STACK_EXCEPTION(s.str().c_str()); break; } } return (ok == 1); }