From 5b89036c41a009a76cd0e1595dde5001ae157972 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Thu, 9 Jul 2015 14:54:13 -0400 Subject: [PATCH] Can't use -trusted with -CA{path,file} Reviewed-by: Viktor Dukhovni --- apps/verify.c | 8 +++++++- doc/apps/verify.pod | 12 ++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/apps/verify.c b/apps/verify.c index a823d58a75..7fcd32a404 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -88,7 +88,7 @@ OPTIONS verify_options[] = { {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"}, {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"}, - {"trusted", OPT_TRUSTED, '<', "A file of additional trusted certificates"}, + {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"}, {"CRLfile", OPT_CRLFILE, '<', "File containing one or more CRL's (in PEM format) to load"}, {"crl_download", OPT_CRL_DOWNLOAD, '-', @@ -180,6 +180,12 @@ int verify_main(int argc, char **argv) } argc = opt_num_rest(); argv = opt_rest(); + if (trustfile && (CAfile || CApath)) { + BIO_printf(bio_err, + "%s: Cannot use -trusted with -CAfile or -CApath\n", + prog); + goto end; + } if (!app_load_modules(NULL)) goto end; diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 9cc7fcb817..b1253da740 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -182,13 +182,17 @@ behaviour to match that of OpenSSL versions prior to 1.1.0. =item B<-untrusted file> -A file of untrusted certificates. The file should contain multiple certificates -in PEM format concatenated together. +A file of untrusted certificates. The file should contain one or more +certificates in PEM format. =item B<-trusted file> -A file of additional trusted certificates. The file should contain multiple -certificates in PEM format concatenated together. +A file of trusted certificates. The file contain one or more +certificates in PEM format. +With this option, no additional (e.g., default) certificate lists +are consulted. That is, the only trusted issuers are those listed +in B. +This option cannot be used with the B<-CAfile> or B<-CApath> options. =item B<-use_deltas> -- GitLab