Skip to content

Commit

Permalink
Print untrusted certificate chain
Browse files Browse the repository at this point in the history
  • Loading branch information
@olszomal
olszomal committed Feb 15, 2024
1 parent bd1ab77 commit 36c1f5f
Showing 1 changed file with 23 additions and 1 deletion.
24 changes: 23 additions & 1 deletion osslsigncode.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1295,6 +1295,8 @@ static void print_cert(X509 *cert, int i)
char *subject, *issuer, *serial;
BIGNUM *serialbn;

if (!cert)
return;
subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
issuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
serialbn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL);
Expand All @@ -1314,6 +1316,19 @@ static void print_cert(X509 *cert, int i)
OPENSSL_free(serial);
}

/*
* [in] certs: X509 certificate chain
* [returns] none
*/
static void print_certs_chain(STACK_OF(X509) *certs)
{
int i;

for (i=0; i<sk_X509_num(certs); i++) {
print_cert(sk_X509_value(certs, i), i);
}
}

/*
* [in] txt, list
* [returns] 0 on error or 1 on success
Expand Down Expand Up @@ -1759,8 +1774,13 @@ static int verify_timestamp(FILE_FORMAT_CTX *ctx, PKCS7 *p7, CMS_ContentInfo *ti
/* verify a CMS SignedData structure */
printf("\nTimestamp verified by:\n");
if (!CMS_verify(timestamp, NULL, store, 0, NULL, 0)) {
STACK_OF(X509) *cms_certs;
printf("\nCMS_verify error\n");
X509_STORE_free(store);
printf("\nUntrusted Timestamp Certificate Chain:\n");
cms_certs = CMS_get1_certs(timestamp);
print_certs_chain(cms_certs);
sk_X509_pop_free(cms_certs, X509_free);
goto out;
}
X509_STORE_free(store);
Expand Down Expand Up @@ -1871,7 +1891,7 @@ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X50
bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data,
p7->d.sign->contents->d.other->value.sequence->length);
}
printf("Signing Certificate Chain:\n");
printf("Signing Certificate Chain verified by:\n");
/*
* In the PKCS7_verify() function, the BIO *indata parameter refers to
* the signed data if the content is detached from p7.
Expand All @@ -1883,6 +1903,8 @@ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X50
printf("\nPKCS7_verify error\n");
X509_STORE_free(store);
BIO_free(bio);
printf("\nUntrusted Signing Certificate Chain:\n");
print_certs_chain(p7->d.sign->cert);
goto out;
}
X509_STORE_free(store);
Expand Down

0 comments on commit 36c1f5f

Please sign in to comment.