If verbose output is specified output some interesting x509 cert flags
and if it have defined Digital Signature purpose of not. While these
constraints are not enforced anywhere this may be useful for user to
know.
Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx>
---
src/libimaevm.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 2280add..1c85397 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -56,6 +56,7 @@
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/err.h>
#include "imaevm.h"
@@ -333,6 +334,26 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
keyfile);
goto out;
}
+
+ if (params.verbose > LOG_INFO) {
+ uint32_t flags;
+
+ flags = X509_get_extension_flags(crt);
+ log_info("Load x509 cert: %s flags:", keyfile);
+ if (flags & EXFLAG_CA)
+ log_info(" CA");
+ if (flags & EXFLAG_SI)
+ log_info(" Self-issued");
+ if (flags & EXFLAG_SS)
+ log_info(" Self-signed");
+ flags = X509_get_key_usage(crt);
+ if (flags & KU_DIGITAL_SIGNATURE)
+ log_info(" Digital-Signature");
+ else
+ log_info(" No-Digital-Signature");
+ log_info("\n");
+ }
+
pkey = X509_extract_key(crt);
X509_free(crt);
if (!pkey) {
--
2.11.0
