Commit 51e7a437 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

New verify flag to return success if we have any certificate in the 

trusted store instead of the default which is to return an error if
we can't build the complete chain.
parent 74cc3b58

apps/apps.c

+2 −0
Original line number Diff line number Diff line
@@ -2527,6 +2527,8 @@ int args_verify(char ***pargs, int *pargc, 
		flags |= X509_V_FLAG_SUITEB_128_LOS;

	else if (!strcmp(arg, "-suiteB_192"))

		flags |= X509_V_FLAG_SUITEB_192_LOS;

	else if (!strcmp(arg, "-partial_chain"))

		flags |= X509_V_FLAG_PARTIAL_CHAIN;

	else

		return 0;

crypto/x509/x509_vfy.c

+9 −0
Original line number Diff line number Diff line
@@ -756,6 +756,15 @@ static int check_trust(X509_STORE_CTX *ctx) 
				return X509_TRUST_REJECTED;

			}

		}

	/* If we accept partial chains and have at least one trusted

	 * certificate return success.

	 */

	if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)

		{

		if (ctx->last_untrusted < sk_X509_num(ctx->chain))

			return X509_TRUST_TRUSTED;

		}



	/* If no trusted certs in chain at all return untrusted and

	 * allow standard (no issuer cert) etc errors to be indicated.

	 */

crypto/x509/x509_vfy.h

+2 −0
Original line number Diff line number Diff line
@@ -416,6 +416,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); 
#define X509_V_FLAG_SUITEB_192_LOS		0x20000

/* Suite B 128 bit mode allowing 192 bit algorithms */

#define X509_V_FLAG_SUITEB_128_LOS		0x30000

/* Allow partial chains if at least one certificate is in trusted store */

#define X509_V_FLAG_PARTIAL_CHAIN		0x80000





#define X509_VP_FLAG_DEFAULT			0x1