diff --git a/apps/verify.c b/apps/verify.c index a823d58a75d648904aa6e1cd4f0de6033635e164..7fcd32a4044a5902a5e73a9d33f781d92af6b4e4 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -88,7 +88,7 @@ OPTIONS verify_options[] = { {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"}, {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"}, - {"trusted", OPT_TRUSTED, '<', "A file of additional trusted certificates"}, + {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"}, {"CRLfile", OPT_CRLFILE, '<', "File containing one or more CRL's (in PEM format) to load"}, {"crl_download", OPT_CRL_DOWNLOAD, '-', @@ -180,6 +180,12 @@ int verify_main(int argc, char **argv) } argc = opt_num_rest(); argv = opt_rest(); + if (trustfile && (CAfile || CApath)) { + BIO_printf(bio_err, + "%s: Cannot use -trusted with -CAfile or -CApath\n", + prog); + goto end; + } if (!app_load_modules(NULL)) goto end; diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 9cc7fcb817917b6adba6e53999b2385163d66303..b1253da740037b99159bd02e7bc7061ed8954d06 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -182,13 +182,17 @@ behaviour to match that of OpenSSL versions prior to 1.1.0. =item B<-untrusted file> -A file of untrusted certificates. The file should contain multiple certificates -in PEM format concatenated together. +A file of untrusted certificates. The file should contain one or more +certificates in PEM format. =item B<-trusted file> -A file of additional trusted certificates. The file should contain multiple -certificates in PEM format concatenated together. +A file of trusted certificates. The file contain one or more +certificates in PEM format. +With this option, no additional (e.g., default) certificate lists +are consulted. That is, the only trusted issuers are those listed +in B. +This option cannot be used with the B<-CAfile> or B<-CApath> options. =item B<-use_deltas>