stir_shaken: CRL fixes and a new CLI command

* Fixed a bug in crypto_show_cli_store that was causing asterisk
to crash if there were certificate revocation lists in the
verification certificate store.  We're also now prefixing
certificates with "Cert:" and CRLs with "CRL:" to distinguish them
in the list.

* Added 'untrusted_cert_file' and 'untrusted_cert_path' options
to both verification and profile objects.  If you have CRLs that
are signed by a different CA than the incoming X5U certificate
(indirect CRL), you'll need to provide the certificate of the
CRL signer here.  Thse will show up as 'Untrusted" when showing
the verification or profile objects.

* Fixed loading of crl_path.  The OpenSSL API we were using to
load CRLs won't actually load them from a directory, only a file.
We now scan the directory ourselves and load the files one-by-one.

* Fixed the verification flags being set on the certificate store.
  - Removed the CRL_CHECK_ALL flag as this was causing all certificates
    to be checked for CRL extensions and failing to verify the cert if
    there was none.  This basically caused all certs to fail when a CRL
    was provided via crl_file or crl_path.
  - Added the EXTENDED_CRL_SUPPORT flag as it is required to handle
    indirect CRLs.

* Added a new CLI command...
`stir_shaken verify certificate_file <certificate_file> [ <profile> ]`
which will assist troubleshooting certificate problems by allowing
the user to manually verify a certificate file against either the
global verification certificate store or the store for a specific
profile.

* Updated the XML documentation and the sample config file.

Resolves: #809

res/res_stir_shaken/verification_config.c

@@ -29,6 +29,8 @@
 #define DEFAULT_ca_path NULL
 #define DEFAULT_crl_file NULL
 #define DEFAULT_crl_path NULL
+#define DEFAULT_untrusted_cert_file NULL
+#define DEFAULT_untrusted_cert_path NULL
 static char DEFAULT_cert_cache_dir[PATH_MAX];
 
 #define DEFAULT_curl_timeout 2
@@ -129,6 +131,8 @@ int vs_copy_cfg_common(const char *id, struct verification_cfg_common *cfg_dst,
 		cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, ca_path);
 		cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, crl_file);
 		cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, crl_path);
+		cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, untrusted_cert_file);
+		cfg_sf_copy_wrapper(id, cfg_dst, cfg_src, untrusted_cert_path);
 		ao2_bump(cfg_src->tcs);
 		cfg_dst->tcs = cfg_src->tcs;
 	}
@@ -188,6 +192,20 @@ int vs_check_common_config(const char *id,
 			id, vcfg_common->crl_path);
 	}
 
+	if (!ast_strlen_zero(vcfg_common->untrusted_cert_file)
+		&& !ast_file_is_readable(vcfg_common->untrusted_cert_file)) {
+		SCOPE_EXIT_LOG_RTN_VALUE(-1, LOG_ERROR,
+			"%s: untrusted_cert_file '%s' not found, or is unreadable\n",
+			id, vcfg_common->untrusted_cert_file);
+	}
+
+	if (!ast_strlen_zero(vcfg_common->untrusted_cert_path)
+		&& !ast_file_is_readable(vcfg_common->untrusted_cert_path)) {
+		SCOPE_EXIT_LOG_RTN_VALUE(-1, LOG_ERROR,
+			"%s: untrusted_cert_path '%s' not found, or is unreadable\n",
+			id, vcfg_common->untrusted_cert_path);
+	}
+
 	if (!ast_strlen_zero(vcfg_common->ca_file)
 		|| !ast_strlen_zero(vcfg_common->ca_path)) {
 		int rc = 0;
@@ -219,7 +237,7 @@ int vs_check_common_config(const char *id,
 					"%s: Unable to create CA cert store\n", id);
 			}
 		}
-		rc = crypto_load_cert_store(vcfg_common->tcs,
+		rc = crypto_load_crl_store(vcfg_common->tcs,
 			vcfg_common->crl_file, vcfg_common->crl_path);
 		if (rc != 0) {
 			SCOPE_EXIT_LOG_RTN_VALUE(-1, LOG_ERROR,
@@ -228,14 +246,34 @@ int vs_check_common_config(const char *id,
 		}
 	}
 
+	if (!ast_strlen_zero(vcfg_common->untrusted_cert_file)
+		|| !ast_strlen_zero(vcfg_common->untrusted_cert_path)) {
+		int rc = 0;
+
+		if (!vcfg_common->tcs) {
+			vcfg_common->tcs = crypto_create_cert_store();
+			if (!vcfg_common->tcs) {
+				SCOPE_EXIT_LOG_RTN_VALUE(-1, LOG_ERROR,
+					"%s: Unable to create CA cert store\n", id);
+			}
+		}
+		rc = crypto_load_untrusted_cert_store(vcfg_common->tcs,
+			vcfg_common->untrusted_cert_file, vcfg_common->untrusted_cert_path);
+		if (rc != 0) {
+			SCOPE_EXIT_LOG_RTN_VALUE(-1, LOG_ERROR,
+				"%s: Unable to load CA CRL store from '%s' or '%s'\n",
+				id, vcfg_common->untrusted_cert_file, vcfg_common->untrusted_cert_path);
+		}
+	}
+
 	if (vcfg_common->tcs) {
 		if (ENUM_BOOL(vcfg_common->load_system_certs, load_system_certs)) {
-			X509_STORE_set_default_paths(vcfg_common->tcs->store);
+			X509_STORE_set_default_paths(vcfg_common->tcs->certs);
 		}
 
 		if (!ast_strlen_zero(vcfg_common->crl_file)
 			|| !ast_strlen_zero(vcfg_common->crl_path)) {
-			X509_STORE_set_flags(vcfg_common->tcs->store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+			X509_STORE_set_flags(vcfg_common->tcs->certs, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_EXTENDED_CRL_SUPPORT);
 		}
 	}
 
@@ -355,6 +393,11 @@ static char *cli_verification_show(struct ast_cli_entry *e, int cmd, struct ast_
 		return CLI_SHOWUSAGE;
 	}
 
+	if (!vs_is_config_loaded()) {
+		ast_log(LOG_WARNING,"Stir/Shaken verification service disabled.  Either there were errors in the 'verification' object in stir_shaken.conf or it was missing altogether.\n");
+		return CLI_FAILURE;
+	}
+
 	cfg = vs_get_cfg();
 	config_object_cli_show(cfg, a, &data, 0);