1## OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_verify 2## Written 2005 by Michael Bell for the OpenXPKI project 3## Rewritten 2006 by Julia Dubenskaya for the OpenXPKI project 4## changes for CHAIN passing by Alexander Klink for the OpenXPKI 5## project 2006. 6## (C) Copyright 2005-2006 by The OpenXPKI Project 7 8use strict; 9use warnings; 10 11package OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_verify; 12 13use base qw(OpenXPKI::Crypto::Backend::OpenSSL::Command); 14 15use Data::Dumper; 16 17sub get_command 18{ 19 my $self = shift; 20 21 ## compensate missing parameters 22 23 my $engine = ""; 24 my $engine_usage = $self->{ENGINE}->get_engine_usage(); 25 $engine = $self->{ENGINE}->get_engine() 26 if ($self->{ENGINE}->get_engine() and 27 ($engine_usage =~ m{ ALWAYS }xms)); 28 29 if (not $self->{PKCS7}) 30 { 31 OpenXPKI::Exception->throw ( 32 message => "I18N_OPENXPKI_CRYPTO_OPENSSL_COMMAND_PKCS7_VERIFY_MISSING_PKCS7"); 33 } 34 35 # Assemble chain 36 my $chainfile; 37 if (defined $self->{CHAIN} ) { 38 ## prepare data 39 my $chain = join("\n", @{$self->{CHAIN}}); 40 $chainfile = $self->write_temp_file( $chain ); 41 42 # No chain is ok when no verify is given 43 } elsif (!$self->{NO_CHAIN}) { 44 OpenXPKI::Exception->throw( 45 message => 'I18N_OPENXPKI_CRYPTO_OPENSSL_COMMAND_PKCS7_VERIFY_MISSING_CHAIN', 46 ); 47 } 48 49 ## build the command 50 51 my @command = qw( cms -verify -binary -inform PEM ); 52 push @command, ("-engine", $engine) if ($engine); 53 push @command, ("-in", $self->write_temp_file( $self->{PKCS7} )); 54 push @command, ("-signer", $self->get_outfile()); 55 56 # Optional parts 57 if ($self->{CONTENT}) { 58 push @command, ("-content", $self->write_temp_file( $self->{CONTENT} )); 59 } 60 61 push @command, ("-noverify") if ($self->{NO_CHAIN}); 62 63 if ($chainfile) { 64 push @command, ("-CAfile",$chainfile); 65 } 66 67 if ($self->{CRL_CHECK}) { 68 push @command, ($self->{CRL_CHECK} eq 'leaf' ? '-crl_check' : '-crl_check_all'); 69 OpenXPKI::Exception->throw ( 70 message => "CRL check requested but no CRL given" 71 ) unless ($self->{CRL}); 72 push @command, ( '-CRLfile', $self->write_temp_file( $self->{CRL} ) ); 73 } 74 75 return [ \@command ]; 76} 77 78sub hide_output 79{ 80 return 0; 81} 82 83## please notice that key_usage means usage of the engine's key 84sub key_usage 85{ 86 my $self = shift; 87 return 0; 88} 89 90#get_result moved to base class 91 921; 93__END__ 94 95=head1 Name 96 97OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_verify 98 99=head1 Functions 100 101=head2 get_command 102 103=over 104 105=item * CONTENT (original data which was signed, optional) 106 107=item * PKCS7 (signature which should be verified) 108 109=item * ENGINE_USAGE 110 111=item * CHAIN 112 113is an array of PEM encoded certificates, mandatory unless NO_CHAIN is set 114 115=item * NO_CHAIN (do not check the signer certificate) 116 117=item * CRL 118 119Must contain one or more PEM encoded CRLs. 120 121Enables I<CRL_CHECK> with option 'all'. 122If NOCHAIN is set, sets I<CRL_CHECK> to leaf 123 124 125=item * CRL_CHECK 126 127Set to I<leaf> to only validate the entity certificate. 128 129=back 130 131=head2 hide_output 132 133returns false 134 135=head2 key_usage 136 137returns false 138 139=head2 get_result 140 141returns the signer on success 142