提交 5b89036c 编写于 作者: R Rich Salz 提交者: Rich Salz

Can't use -trusted with -CA{path,file}

Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
上级 e5c0bc6c
...@@ -88,7 +88,7 @@ OPTIONS verify_options[] = { ...@@ -88,7 +88,7 @@ OPTIONS verify_options[] = {
{"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"}, {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"},
{"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},
{"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"}, {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"},
{"trusted", OPT_TRUSTED, '<', "A file of additional trusted certificates"}, {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},
{"CRLfile", OPT_CRLFILE, '<', {"CRLfile", OPT_CRLFILE, '<',
"File containing one or more CRL's (in PEM format) to load"}, "File containing one or more CRL's (in PEM format) to load"},
{"crl_download", OPT_CRL_DOWNLOAD, '-', {"crl_download", OPT_CRL_DOWNLOAD, '-',
...@@ -180,6 +180,12 @@ int verify_main(int argc, char **argv) ...@@ -180,6 +180,12 @@ int verify_main(int argc, char **argv)
} }
argc = opt_num_rest(); argc = opt_num_rest();
argv = opt_rest(); argv = opt_rest();
if (trustfile && (CAfile || CApath)) {
BIO_printf(bio_err,
"%s: Cannot use -trusted with -CAfile or -CApath\n",
prog);
goto end;
}
if (!app_load_modules(NULL)) if (!app_load_modules(NULL))
goto end; goto end;
......
...@@ -182,13 +182,17 @@ behaviour to match that of OpenSSL versions prior to 1.1.0. ...@@ -182,13 +182,17 @@ behaviour to match that of OpenSSL versions prior to 1.1.0.
=item B<-untrusted file> =item B<-untrusted file>
A file of untrusted certificates. The file should contain multiple certificates A file of untrusted certificates. The file should contain one or more
in PEM format concatenated together. certificates in PEM format.
=item B<-trusted file> =item B<-trusted file>
A file of additional trusted certificates. The file should contain multiple A file of trusted certificates. The file contain one or more
certificates in PEM format concatenated together. certificates in PEM format.
With this option, no additional (e.g., default) certificate lists
are consulted. That is, the only trusted issuers are those listed
in B<file>.
This option cannot be used with the B<-CAfile> or B<-CApath> options.
=item B<-use_deltas> =item B<-use_deltas>
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册