提交 db28aa86 编写于 作者: D Dr. Stephen Henson

add -trusted_first option and verify flag

上级 2da2ff50
......@@ -4,6 +4,10 @@
Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
*) Add -trusted_first option which attempts to find certificates in the
trusted store even if an untrusted chain is also supplied.
[Steve Henson]
*) Initial experimental support for explicitly trusted non-root CAs.
OpenSSL still tries to build a complete chain to a root but if an
intermediate CA has a trust setting included that is used. The first
......
......@@ -2333,6 +2333,8 @@ int args_verify(char ***pargs, int *pargc,
flags |= X509_V_FLAG_NOTIFY_POLICY;
else if (!strcmp(arg, "-check_ss_sig"))
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
else if (!strcmp(arg, "-trusted_first"))
flags |= X509_V_FLAG_TRUSTED_FIRST;
else
return 0;
......
......@@ -215,6 +215,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
/* If we are self signed, we break */
if (cert_self_signed(x))
break;
/* If asked see if we can find issuer in trusted store first */
if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
{
ok = ctx->get_issuer(&xtmp, ctx, x);
if (ok < 0)
return ok;
/* If successful for now free up cert so it
* will be picked up again later.
*/
if (ok > 0)
{
X509_free(xtmp);
break;
}
}
/* If we were passed a cert chain, use it first */
if (ctx->untrusted != NULL)
......
......@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
#define X509_V_FLAG_USE_DELTAS 0x2000
/* Check selfsigned CA signature */
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
/* Use trusted store first */
#define X509_V_FLAG_TRUSTED_FIRST 0x8000
#define X509_VP_FLAG_DEFAULT 0x1
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册