Commit 2b6bcb70 authored by Matt Caswell's avatar Matt Caswell
Browse files

Add support for -no-CApath and -no-CAfile options 



For those command line options that take the verification options
-CApath and -CAfile, if those options are absent then the default path or
file is used instead. It is not currently possible to specify *no* path or
file at all. This change adds the options -no-CApath and -no-CAfile to
specify that the default locations should not be used to all relevant
applications.

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
parent 631fb6af

apps/apps.c

+34 −23
Original line number Diff line number Diff line
@@ -227,11 +227,17 @@ int app_init(long mesgwin) 
}

#endif



int ctx_set_verify_locations(SSL_CTX *ctx,

                             const char *CAfile, const char *CApath)

int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,

                             const char *CApath, int noCAfile, int noCApath)

{

    if (CAfile == NULL && CApath == NULL)

        return SSL_CTX_set_default_verify_paths(ctx);

    if (CAfile == NULL && CApath == NULL) {

        if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0)

            return 0;

        if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0)

            return 0;



        return 1;

    }

    return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);

}
@@ -1244,13 +1250,15 @@ void print_array(BIO *out, const char* title, int len, const unsigned char* d) 
    BIO_printf(out, "\n};\n");

}



X509_STORE *setup_verify(char *CAfile, char *CApath)

X509_STORE *setup_verify(char *CAfile, char *CApath, int noCAfile, int noCApath)

{

    X509_STORE *store = X509_STORE_new();

    X509_LOOKUP *lookup;



    if (!store)

        goto end;



    if(CAfile != NULL || !noCAfile) {

        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());

        if (lookup == NULL)

            goto end;
@@ -1261,7 +1269,9 @@ X509_STORE *setup_verify(char *CAfile, char *CApath) 
            }

        } else

            X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);

    }



    if(CApath != NULL || !noCApath) {

        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());

        if (lookup == NULL)

            goto end;
@@ -1272,6 +1282,7 @@ X509_STORE *setup_verify(char *CAfile, char *CApath) 
            }

        } else

            X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);

    }



    ERR_clear_error();

    return store;

apps/apps.h

+4 −3
Original line number Diff line number Diff line
@@ -442,9 +442,10 @@ STACK_OF(X509) *load_certs(const char *file, int format, 
STACK_OF(X509_CRL) *load_crls(const char *file, int format,

                              const char *pass, ENGINE *e,

                              const char *cert_descrip);

X509_STORE *setup_verify(char *CAfile, char *CApath);

int ctx_set_verify_locations(SSL_CTX *ctx,

                             const char *CAfile, const char *CApath);

X509_STORE *setup_verify(char *CAfile, char *CApath,

                         int noCAfile, int noCApath);

int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,

                             const char *CApath, int noCAfile, int noCApath);

# ifdef OPENSSL_NO_ENGINE

#  define setup_engine(engine, debug) NULL

# else

apps/cms.c

+15 −4
Original line number Diff line number Diff line
@@ -118,9 +118,9 @@ typedef enum OPTION_choice { 
    OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,

    OPT_NOINDEF, OPT_NOOLDMIME, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,

    OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,

    OPT_CAPATH, OPT_CONTENT, OPT_PRINT, OPT_SECRETKEY,

    OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, OPT_RAND,

    OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,

    OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,

    OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,

    OPT_RAND, OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,

    OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,

    OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,

    OPT_3DES_WRAP, OPT_ENGINE,
@@ -185,6 +185,10 @@ OPTIONS cms_options[] = { 
    {"certfile", OPT_CERTFILE, '<', "Other certificates file"},

    {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},

    {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},

    {"no-CAfile", OPT_NOCAFILE, '-',

     "Do not load the default certificates file"},

    {"no-CApath", OPT_NOCAPATH, '-',

     "Do not load certificates from the default certificates directory"},

    {"content", OPT_CONTENT, '<',

     "Supply or override content for detached signature"},

    {"print", OPT_PRINT, '-'},
@@ -242,6 +246,7 @@ int cms_main(int argc, char **argv) 
    X509_VERIFY_PARAM *vpm = NULL;

    char *certfile = NULL, *keyfile = NULL, *contfile = NULL;

    char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL;

    int noCAfile = 0, noCApath = 0;

    char *infile = NULL, *outfile = NULL, *rctfile = NULL, *inrand = NULL;

    char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile =

        NULL;
@@ -422,6 +427,12 @@ int cms_main(int argc, char **argv) 
        case OPT_CAPATH:

            CApath = opt_arg();

            break;

        case OPT_NOCAFILE:

            noCAfile = 1;

            break;

        case OPT_NOCAPATH:

            noCApath = 1;

            break;

        case OPT_IN:

            infile = opt_arg();

            break;
@@ -834,7 +845,7 @@ int cms_main(int argc, char **argv) 
        goto end;



    if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {

        if ((store = setup_verify(CAfile, CApath)) == NULL)

        if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)

            goto end;

        X509_STORE_set_verify_cb(store, cms_cb);

        if (vpmtouched)

apps/crl.c

+14 −4
Original line number Diff line number Diff line
@@ -70,8 +70,8 @@ typedef enum OPTION_choice { 
    OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,

    OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,

    OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE,

    OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD, OPT_NOOUT,

    OPT_NAMEOPT, OPT_MD

    OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD,

    OPT_NOOUT, OPT_NAMEOPT, OPT_MD

} OPTION_CHOICE;



OPTIONS crl_options[] = {
@@ -92,6 +92,10 @@ OPTIONS crl_options[] = { 
    {"gendelta", OPT_GENDELTA, '<'},

    {"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},

    {"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},

    {"no-CAfile", OPT_NOCAFILE, '-',

     "Do not load the default certificates file"},

    {"no-CApath", OPT_NOCAPATH, '-',

     "Do not load certificates from the default certificates directory"},

    {"verify", OPT_VERIFY, '-'},

    {"text", OPT_TEXT, '-', "Print out a text format version"},

    {"hash", OPT_HASH, '-', "Print hash value"},
@@ -121,7 +125,7 @@ int crl_main(int argc, char **argv) 
    int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;

    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;

    int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;

    int text = 0, do_ver = 0;

    int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;

    int i;

#ifndef OPENSSL_NO_MD5

    int hash_old = 0;
@@ -171,6 +175,12 @@ int crl_main(int argc, char **argv) 
            CAfile = opt_arg();

            do_ver = 1;

            break;

        case OPT_NOCAPATH:

            noCApath =  1;

            break;

        case OPT_NOCAFILE:

            noCAfile =  1;

            break;

        case OPT_HASH_OLD:

#ifndef OPENSSL_NO_MD5

            hash_old = ++num;
@@ -230,7 +240,7 @@ int crl_main(int argc, char **argv) 
        goto end;



    if (do_ver) {

        if ((store = setup_verify(CAfile, CApath)) == NULL)

        if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)

            goto end;

        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());

        if (lookup == NULL)

apps/ocsp.c

+13 −2
Original line number Diff line number Diff line
@@ -131,7 +131,7 @@ typedef enum OPTION_choice { 
    OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,

    OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,

    OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,

    OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH,

    OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH,

    OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,

    OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,

    OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
@@ -183,6 +183,10 @@ OPTIONS ocsp_options[] = { 
     "Additional certificates to search for signer"},

    {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},

    {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},

    {"no-CAfile", OPT_NOCAFILE, '-',

     "Do not load the default certificates file"},

    {"no-CApath", OPT_NOCAPATH, '-',

     "Do not load certificates from the default certificates directory"},

    {"validity_period", OPT_VALIDITY_PERIOD, 'u',

     "Maximum validity discrepancy in seconds"},

    {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
@@ -236,6 +240,7 @@ int ocsp_main(int argc, char **argv) 
    char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;

    char *signfile = NULL, *keyfile = NULL;

    char *thost = NULL, *tport = NULL, *tpath = NULL;

    int noCAfile = 0, noCApath = 0;

    int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;

    int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;

    int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1;
@@ -369,6 +374,12 @@ int ocsp_main(int argc, char **argv) 
        case OPT_CAPATH:

            CApath = opt_arg();

            break;

        case OPT_NOCAFILE:

            noCAfile = 1;

            break;

        case OPT_NOCAPATH:

            noCApath = 1;

            break;

        case OPT_V_CASES:

            if (!opt_verify(o, vpm))

                goto end;
@@ -685,7 +696,7 @@ int ocsp_main(int argc, char **argv) 
    }



    if (!store) {

        store = setup_verify(CAfile, CApath);

        store = setup_verify(CAfile, CApath, noCAfile, noCApath);

        if (!store)

            goto end;

    }