Commit aea61161 authored Jan 27, 2016 by Viktor Dukhovni

Make it possible to check for explicit auxiliary trust



By default X509_check_trust() trusts self-signed certificates from
the trust store that have no explicit local trust/reject oids
encapsulated as a "TRUSTED CERTIFICATE" object.  (See the -addtrust
and -trustout options of x509(1)).

This commit adds a flag that makes it possible to distinguish between
that implicit trust, and explicit auxiliary settings.

With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted
via explicit trust settings.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

parent d8ca44ba

crypto/x509/x509_trs.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -285,7 +285,7 @@ static int trust_compat(X509_TRUST trust, X509 x, int flags)
		{
		/* Call for side-effect of computing hash and caching extensions */
		X509_check_purpose(x, -1, 0);
		if (x->ex_flags & EXFLAG_SS)
		if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS)
		return X509_TRUST_TRUSTED;
		else
		return X509_TRUST_UNTRUSTED;

include/openssl/x509.h

+3 −2

Original line number	Diff line number	Diff line
		@@ -199,8 +199,9 @@ DEFINE_STACK_OF(X509_TRUST)
		# define X509_TRUST_MAX 8

		/* trust_flags values */
		# define X509_TRUST_DYNAMIC 1
		# define X509_TRUST_DYNAMIC_NAME 2
		# define X509_TRUST_DYNAMIC (1U << 0)
		# define X509_TRUST_DYNAMIC_NAME (1U << 1)
		# define X509_TRUST_NO_SS_COMPAT (1U << 2)

		/* check_trust return codes */