mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
4b5371913e
Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11123)
174 lines
4.9 KiB
Plaintext
174 lines
4.9 KiB
Plaintext
=pod
|
|
{- OpenSSL::safe::output_do_not_edit_headers(); -}
|
|
|
|
=head1 NAME
|
|
|
|
openssl-verify - certificate verification command
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<openssl> B<verify>
|
|
[B<-help>]
|
|
[B<-CRLfile> I<file>]
|
|
[B<-crl_download>]
|
|
[B<-show_chain>]
|
|
[B<-sm2-id> I<hexstring>]
|
|
[B<-sm2-hex-id> I<hexstring>]
|
|
[B<-verbose>]
|
|
[B<-trusted> I<file>]
|
|
[B<-untrusted> I<file>]
|
|
{- $OpenSSL::safe::opt_name_synopsis -}
|
|
{- $OpenSSL::safe::opt_trust_synopsis -}
|
|
{- $OpenSSL::safe::opt_engine_synopsis -}
|
|
{- $OpenSSL::safe::opt_v_synopsis -}
|
|
{- $OpenSSL::safe::opt_provider_synopsis -}
|
|
[B<-->]
|
|
[I<certificate> ...]
|
|
|
|
=for openssl ifdef engine sm2-id sm2-hex-id
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
This command verifies certificate chains.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item B<-help>
|
|
|
|
Print out a usage message.
|
|
|
|
=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
|
|
|
|
See L<openssl(1)/Trusted Certificate Options> for more information.
|
|
|
|
=item B<-CRLfile> I<file>
|
|
|
|
The I<file> should contain one or more CRLs in PEM format.
|
|
This option can be specified more than once to include CRLs from multiple
|
|
I<file>s.
|
|
|
|
=item B<-crl_download>
|
|
|
|
Attempt to download CRL information for this certificate.
|
|
|
|
=item B<-show_chain>
|
|
|
|
Display information about the certificate chain that has been built (if
|
|
successful). Certificates in the chain that came from the untrusted list will be
|
|
flagged as "untrusted".
|
|
|
|
=item B<-sm2-id> I<hexstring>
|
|
|
|
Specify the ID string to use when verifying an SM2 certificate. The ID string is
|
|
required by the SM2 signature algorithm for signing and verification.
|
|
|
|
=item B<-sm2-hex-id> I<hexstring>
|
|
|
|
Specify a binary ID string to use when signing or verifying using an SM2
|
|
certificate. The argument for this option is string of hexadecimal digits.
|
|
|
|
=item B<-verbose>
|
|
|
|
Print extra information about the operations being performed.
|
|
|
|
=item B<-trusted> I<file>
|
|
|
|
A file of trusted certificates.
|
|
|
|
=item B<-untrusted> I<file>
|
|
|
|
A file of untrusted certificates.
|
|
|
|
{- $OpenSSL::safe::opt_name_item -}
|
|
|
|
{- $OpenSSL::safe::opt_engine_item -}
|
|
To load certificates or CRLs that require engine support, specify the
|
|
B<-engine> option before any of the
|
|
B<-trusted>, B<-untrusted> or B<-CRLfile> options.
|
|
|
|
{- $OpenSSL::safe::opt_trust_item -}
|
|
|
|
{- $OpenSSL::safe::opt_v_item -}
|
|
|
|
{- $OpenSSL::safe::opt_provider_item -}
|
|
|
|
=item B<-->
|
|
|
|
Indicates the last option. All arguments following this are assumed to be
|
|
certificate files. This is useful if the first certificate filename begins
|
|
with a B<->.
|
|
|
|
=item I<certificate> ...
|
|
|
|
One or more certificates to verify. If no certificates are given,
|
|
this command will attempt to read a certificate from standard input.
|
|
Certificates must be in PEM format.
|
|
If a certificate chain has multiple problems, this program tries to
|
|
display all of them.
|
|
|
|
=back
|
|
|
|
=head1 DIAGNOSTICS
|
|
|
|
When a verify operation fails the output messages can be somewhat cryptic. The
|
|
general form of the error message is:
|
|
|
|
server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
|
|
error 24 at 1 depth lookup:invalid CA certificate
|
|
|
|
The first line contains the name of the certificate being verified followed by
|
|
the subject name of the certificate. The second line contains the error number
|
|
and the depth. The depth is number of the certificate being verified when a
|
|
problem was detected starting with zero for the certificate being verified itself
|
|
then 1 for the CA that signed the certificate and so on. Finally a text version
|
|
of the error number is presented.
|
|
|
|
A list of the error codes and messages can be found in
|
|
L<X509_STORE_CTX_get_error(3)>; the full list is defined in the header file
|
|
F<< <openssl/x509_vfy.h> >>.
|
|
|
|
This command ignores many errors, in order to allow all the problems with a
|
|
certificate chain to be determined.
|
|
|
|
=head1 BUGS
|
|
|
|
Although the issuer checks are a considerable improvement over the old
|
|
technique they still suffer from limitations in the underlying X509_LOOKUP
|
|
API. One consequence of this is that trusted certificates with matching
|
|
subject name must either appear in a file (as specified by the B<-CAfile>
|
|
option), a directory (as specified by B<-CApath>), or a store (as specified
|
|
by B<-CAstore>). If they occur in more than one location then only the
|
|
certificates in the file will be recognised.
|
|
|
|
Previous versions of OpenSSL assume certificates with matching subject
|
|
name are identical and mishandled them.
|
|
|
|
Previous versions of this documentation swapped the meaning of the
|
|
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
|
|
B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<openssl(1)>,
|
|
L<openssl-x509(1)>,
|
|
L<ossl_store-file(7)>
|
|
|
|
=head1 HISTORY
|
|
|
|
The B<-show_chain> option was added in OpenSSL 1.1.0.
|
|
|
|
The B<-sm2-id> and B<-sm2-hex-id> options were added in OpenSSL 3.0.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|