Allow proxy certs to be present when verifying a chain (a392ef20) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/apps.h

+5 −3

Original line number	Diff line number	Diff line
		@@ -85,7 +85,7 @@ int has_stdin_waiting(void);
		OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
		OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
		OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
		OPT_V_VERIFY_AUTH_LEVEL, \
		OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
		OPT_V__LAST

		# define OPT_V_OPTIONS \
		@@ -135,7 +135,8 @@ int has_stdin_waiting(void);
		{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
		"accept chains anchored by intermediate trust-store CAs"}, \
		{ "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
		{ "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }
		{ "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \
		{ "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" }

		# define OPT_V_CASES \
		OPT_V__FIRST: case OPT_V__LAST: break; \
		@@ -167,7 +168,8 @@ int has_stdin_waiting(void);
		case OPT_V_SUITEB_192: \
		case OPT_V_PARTIAL_CHAIN: \
		case OPT_V_NO_ALT_CHAINS: \
		case OPT_V_NO_CHECK_TIME
		case OPT_V_NO_CHECK_TIME: \
		case OPT_V_ALLOW_PROXY_CERTS

		/*
		* Common "extended"? options.

+3 −0

Original line number	Diff line number	Diff line
		@@ -580,6 +580,9 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
		case OPT_V_NO_CHECK_TIME:
		X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
		break;
		case OPT_V_ALLOW_PROXY_CERTS:
		X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_ALLOW_PROXY_CERTS);
		break;
		}
		return 1;

+1 −0

Original line number	Diff line number	Diff line
		@@ -214,6 +214,7 @@ static int check(X509_STORE ctx, char file,
		(file == NULL) ? "stdin" : file);
		goto end;
		}

		X509_STORE_set_flags(ctx, vflags);
		if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
		printf("error %s: X.509 store context initialization failed\n",

+11 −1

Original line number	Diff line number	Diff line
		@@ -12,6 +12,7 @@ B<openssl> B<verify>
		[B<-CApath directory>]
		[B<-no-CAfile>]
		[B<-no-CApath>]
		[B<-allow_proxy_certs>]
		[B<-attime timestamp>]
		[B<-check_ss_sig>]
		[B<-CRLfile file>]
		@@ -83,6 +84,10 @@ Do not load the trusted CA certificates from the default file location

		Do not load the trusted CA certificates from the default directory location

		=item B<-allow_proxy_certs>

		Allow the verification of proxy certificates

		=item B<-attime timestamp>

		Perform validation checks using time specified by B<timestamp> and not
		@@ -564,13 +569,18 @@ Invalid non-CA certificate has CA markings.

		Proxy path length constraint exceeded.

		=item B<X509_V_ERR_PROXY_SUBJECT_INVALID>

		Proxy certificate subject is invalid. It MUST be the same as the issuer
		with a single CN component added.

		=item B<X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE>

		Key usage does not include digital signature.

		=item B<X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED>

		Proxy certificates not allowed, please set the appropriate flag.
		Proxy certificates not allowed, please use B<-allow_proxy_certs>.

		=item B<X509_V_ERR_INVALID_EXTENSION>