From a392ef20f0a9fedc811b6a06bf50ff3f151e266f Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 19 Jun 2016 10:55:43 +0200 Subject: [PATCH] Allow proxy certs to be present when verifying a chain Reviewed-by: Rich Salz Reviewed-by: Stephen Henson --- apps/apps.h | 8 +++++--- apps/opt.c | 3 +++ apps/verify.c | 1 + doc/apps/verify.pod | 12 +++++++++++- 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/apps/apps.h b/apps/apps.h index 616f1840c0..319b02ef19 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -85,7 +85,7 @@ int has_stdin_waiting(void); OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \ OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \ OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \ - OPT_V_VERIFY_AUTH_LEVEL, \ + OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \ OPT_V__LAST # define OPT_V_OPTIONS \ @@ -135,7 +135,8 @@ int has_stdin_waiting(void); { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \ "accept chains anchored by intermediate trust-store CAs"}, \ { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \ - { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" } + { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \ + { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" } # define OPT_V_CASES \ OPT_V__FIRST: case OPT_V__LAST: break; \ @@ -167,7 +168,8 @@ int has_stdin_waiting(void); case OPT_V_SUITEB_192: \ case OPT_V_PARTIAL_CHAIN: \ case OPT_V_NO_ALT_CHAINS: \ - case OPT_V_NO_CHECK_TIME + case OPT_V_NO_CHECK_TIME: \ + case OPT_V_ALLOW_PROXY_CERTS /* * Common "extended"? options. diff --git a/apps/opt.c b/apps/opt.c index d694fe15f2..f72ac64ec7 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -580,6 +580,9 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) case OPT_V_NO_CHECK_TIME: X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME); break; + case OPT_V_ALLOW_PROXY_CERTS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_ALLOW_PROXY_CERTS); + break; } return 1; diff --git a/apps/verify.c b/apps/verify.c index 86d1b2a851..40e19d45dc 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -214,6 +214,7 @@ static int check(X509_STORE *ctx, char *file, (file == NULL) ? "stdin" : file); goto end; } + X509_STORE_set_flags(ctx, vflags); if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { printf("error %s: X.509 store context initialization failed\n", diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 051cd624f1..0fd1799af2 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -12,6 +12,7 @@ B B [B<-CApath directory>] [B<-no-CAfile>] [B<-no-CApath>] +[B<-allow_proxy_certs>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-CRLfile file>] @@ -83,6 +84,10 @@ Do not load the trusted CA certificates from the default file location Do not load the trusted CA certificates from the default directory location +=item B<-allow_proxy_certs> + +Allow the verification of proxy certificates + =item B<-attime timestamp> Perform validation checks using time specified by B and not @@ -564,13 +569,18 @@ Invalid non-CA certificate has CA markings. Proxy path length constraint exceeded. +=item B + +Proxy certificate subject is invalid. It MUST be the same as the issuer +with a single CN component added. + =item B Key usage does not include digital signature. =item B -Proxy certificates not allowed, please set the appropriate flag. +Proxy certificates not allowed, please use B<-allow_proxy_certs>. =item B -- GitLab