| /*************************************************************************** |
| * _ _ ____ _ |
| * Project ___| | | | _ \| | |
| * / __| | | | |_) | | |
| * | (__| |_| | _ <| |___ |
| * \___|\___/|_| \_\_____| |
| * |
| * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
| * |
| * This software is licensed as described in the file COPYING, which |
| * you should have received as part of this distribution. The terms |
| * are also available at https://curl.se/docs/copyright.html. |
| * |
| * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
| * copies of the Software, and permit persons to whom the Software is |
| * furnished to do so, under the terms of the COPYING file. |
| * |
| * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
| * KIND, either express or implied. |
| * |
| * SPDX-License-Identifier: curl |
| * |
| ***************************************************************************/ |
| #include "test.h" |
| |
| #include "memdebug.h" |
| |
| /* |
| * Verify correct order of certificates in the chain by comparing the |
| * subject and issuer attributes of each certificate. |
| */ |
| static bool is_chain_in_order(struct curl_certinfo *cert_info) |
| { |
| char *last_issuer = NULL; |
| int cert; |
| |
| /* Chains with only a single certificate are always in order */ |
| if(cert_info->num_of_certs <= 1) |
| return 1; |
| |
| /* Enumerate each certificate in the chain */ |
| for(cert = 0; cert < cert_info->num_of_certs; cert++) { |
| struct curl_slist *slist = cert_info->certinfo[cert]; |
| char *issuer = NULL; |
| char *subject = NULL; |
| |
| /* Find the certificate issuer and subject by enumerating each field */ |
| for(; slist && (!issuer || !subject); slist = slist->next) { |
| const char issuer_prefix[] = "Issuer:"; |
| const char subject_prefix[] = "Subject:"; |
| |
| if(!strncmp(slist->data, issuer_prefix, sizeof(issuer_prefix)-1)) { |
| issuer = slist->data + sizeof(issuer_prefix)-1; |
| } |
| if(!strncmp(slist->data, subject_prefix, sizeof(subject_prefix)-1)) { |
| subject = slist->data + sizeof(subject_prefix)-1; |
| } |
| } |
| |
| if(subject && issuer) { |
| printf("cert %d\n", cert); |
| printf(" subject: %s\n", subject); |
| printf(" issuer: %s\n", issuer); |
| |
| if(last_issuer) { |
| /* If the last certificate's issuer matches the current certificate's |
| * subject, then the chain is in order */ |
| if(strcmp(last_issuer, subject) != 0) { |
| fprintf(stderr, "cert %d issuer does not match cert %d subject\n", |
| cert - 1, cert); |
| fprintf(stderr, "certificate chain is not in order\n"); |
| return false; |
| } |
| } |
| } |
| |
| last_issuer = issuer; |
| } |
| |
| printf("certificate chain is in order\n"); |
| return true; |
| } |
| |
| static size_t wrfu(void *ptr, size_t size, size_t nmemb, void *stream) |
| { |
| (void)stream; |
| (void)ptr; |
| return size * nmemb; |
| } |
| |
| int test(char *URL) |
| { |
| CURL *curl; |
| CURLcode res = CURLE_OK; |
| |
| if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { |
| fprintf(stderr, "curl_global_init() failed\n"); |
| return TEST_ERR_MAJOR_BAD; |
| } |
| |
| curl = curl_easy_init(); |
| if(!curl) { |
| fprintf(stderr, "curl_easy_init() failed\n"); |
| curl_global_cleanup(); |
| return TEST_ERR_MAJOR_BAD; |
| } |
| |
| /* Set the HTTPS url to retrieve. */ |
| test_setopt(curl, CURLOPT_URL, URL); |
| |
| /* Capture certificate information */ |
| test_setopt(curl, CURLOPT_CERTINFO, 1L); |
| |
| /* Ignore output */ |
| test_setopt(curl, CURLOPT_WRITEFUNCTION, wrfu); |
| |
| /* No peer verify */ |
| test_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); |
| test_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); |
| |
| /* Perform the request, res will get the return code */ |
| res = curl_easy_perform(curl); |
| if(!res || res == CURLE_GOT_NOTHING) { |
| struct curl_certinfo *cert_info = NULL; |
| /* Get the certificate information */ |
| res = curl_easy_getinfo(curl, CURLINFO_CERTINFO, &cert_info); |
| if(!res) { |
| /* Check to see if the certificate chain is ordered correctly */ |
| if(!is_chain_in_order(cert_info)) |
| res = TEST_ERR_FAILURE; |
| } |
| } |
| |
| test_cleanup: |
| |
| /* always cleanup */ |
| curl_easy_cleanup(curl); |
| curl_global_cleanup(); |
| |
| return res; |
| } |