Do not query for CKA_ALWAYS_AUTHENTICATE if PKCS#11 Cryptoki version < 2.20
[strongswan.git] / src / pki / commands / verify.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "pki.h"
17
18 #include <credentials/certificates/certificate.h>
19 #include <credentials/certificates/x509.h>
20
21 /**
22 * Verify a certificate signature
23 */
24 static int verify()
25 {
26 certificate_t *cert, *ca;
27 char *file = NULL, *cafile = NULL;
28 bool good = FALSE;
29 char *arg;
30
31 while (TRUE)
32 {
33 switch (command_getopt(&arg))
34 {
35 case 'h':
36 return command_usage(NULL);
37 case 'i':
38 file = arg;
39 continue;
40 case 'c':
41 cafile = arg;
42 continue;
43 case EOF:
44 break;
45 default:
46 return command_usage("invalid --verify option");
47 }
48 break;
49 }
50
51 if (file)
52 {
53 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
54 BUILD_FROM_FILE, file, BUILD_END);
55 }
56 else
57 {
58 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
59 BUILD_FROM_FD, 0, BUILD_END);
60 }
61 if (!cert)
62 {
63 fprintf(stderr, "parsing certificate failed\n");
64 return 1;
65 }
66 if (cafile)
67 {
68 ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
69 BUILD_FROM_FILE, cafile, BUILD_END);
70 if (!ca)
71 {
72 fprintf(stderr, "parsing CA certificate failed\n");
73 return 1;
74 }
75 }
76 else
77 {
78 ca = cert;
79 }
80 if (cert->issued_by(cert, ca))
81 {
82 if (cert->get_validity(cert, NULL, NULL, NULL))
83 {
84 if (cafile)
85 {
86 if (ca->get_validity(ca, NULL, NULL, NULL))
87 {
88 printf("signature good, certificates valid\n");
89 good = TRUE;
90 }
91 else
92 {
93 printf("signature good, CA certificates not valid now\n");
94 }
95 }
96 else
97 {
98 printf("signature good, certificate valid\n");
99 good = TRUE;
100 }
101 }
102 else
103 {
104 printf("certificate not valid now\n");
105 }
106 }
107 else
108 {
109 printf("signature invalid\n");
110 }
111 if (cafile)
112 {
113 ca->destroy(ca);
114 }
115 cert->destroy(cert);
116
117 return good ? 0 : 2;
118 }
119
120 /**
121 * Register the command.
122 */
123 static void __attribute__ ((constructor))reg()
124 {
125 command_register((command_t) {
126 verify, 'v', "verify",
127 "verify a certificate using the CA certificate",
128 {"[--in file] [--ca file]"},
129 {
130 {"help", 'h', 0, "show usage information"},
131 {"in", 'i', 1, "X.509 certificate to verify, default: stdin"},
132 {"cacert", 'c', 1, "CA certificate, default: verify self signed"},
133 }
134 });
135 }
136