Commit d33def66 authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Deprecate the -issuer_checks debugging option 



This was a developer debugging feature and was never a useful public
interface.

Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.

Sorted the errors in x509_txt.c by error number.

Reviewed-by: default avatarStephen Henson <steve@openssl.org>
parent 056be06b

apps/apps.h

+1 −2
Original line number Diff line number Diff line
@@ -207,8 +207,7 @@ void wait_for_async(SSL *s); 
            "check peer certificate matches \"ipaddr\"" }, \

        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \

            "Disable critical extension checking"}, \

        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \

            "Enable debugging of certificate issuer checks"}, \

        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \

        { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \

        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \

        { "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \

apps/opt.c

+1 −1
Original line number Diff line number Diff line
@@ -557,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) 
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);

        break;

    case OPT_V_ISSUER_CHECKS:

        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);

        /* NOP, deprecated */

        break;

    case OPT_V_CRL_CHECK:

        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);

crypto/x509/x509_txt.c

+13 −14
Original line number Diff line number Diff line
@@ -90,10 +90,10 @@ const char *X509_verify_cert_error_string(long n) 
        return ("CRL signature failure");

    case X509_V_ERR_CERT_NOT_YET_VALID:

        return ("certificate is not yet valid");

    case X509_V_ERR_CRL_NOT_YET_VALID:

        return ("CRL is not yet valid");

    case X509_V_ERR_CERT_HAS_EXPIRED:

        return ("certificate has expired");

    case X509_V_ERR_CRL_NOT_YET_VALID:

        return ("CRL is not yet valid");

    case X509_V_ERR_CRL_HAS_EXPIRED:

        return ("CRL has expired");

    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -120,23 +120,14 @@ const char *X509_verify_cert_error_string(long n) 
        return ("certificate revoked");

    case X509_V_ERR_INVALID_CA:

        return ("invalid CA certificate");

    case X509_V_ERR_INVALID_NON_CA:

        return ("invalid non-CA certificate (has CA markings)");

    case X509_V_ERR_PATH_LENGTH_EXCEEDED:

        return ("path length constraint exceeded");

    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:

        return ("proxy path length constraint exceeded");

    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:

        return

            ("proxy certificates not allowed, please set the appropriate flag");

    case X509_V_ERR_INVALID_PURPOSE:

        return ("unsupported certificate purpose");

    case X509_V_ERR_CERT_UNTRUSTED:

        return ("certificate not trusted");

    case X509_V_ERR_CERT_REJECTED:

        return ("certificate rejected");

    case X509_V_ERR_APPLICATION_VERIFICATION:

        return ("application verification failure");

    case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:

        return ("subject issuer mismatch");

    case X509_V_ERR_AKID_SKID_MISMATCH:
@@ -151,10 +142,17 @@ const char *X509_verify_cert_error_string(long n) 
        return ("unhandled critical extension");

    case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:

        return ("key usage does not include CRL signing");

    case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:

        return ("key usage does not include digital signature");

    case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:

        return ("unhandled critical CRL extension");

    case X509_V_ERR_INVALID_NON_CA:

        return ("invalid non-CA certificate (has CA markings)");

    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:

        return ("proxy path length constraint exceeded");

    case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:

        return ("key usage does not include digital signature");

    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:

        return

            ("proxy certificates not allowed, please set the appropriate flag");

    case X509_V_ERR_INVALID_EXTENSION:

        return ("invalid or inconsistent certificate extension");

    case X509_V_ERR_INVALID_POLICY_EXTENSION:
@@ -167,13 +165,14 @@ const char *X509_verify_cert_error_string(long n) 
        return ("Unsupported extension feature");

    case X509_V_ERR_UNNESTED_RESOURCE:

        return ("RFC 3779 resource not subset of parent's resources");



    case X509_V_ERR_PERMITTED_VIOLATION:

        return ("permitted subtree violation");

    case X509_V_ERR_EXCLUDED_VIOLATION:

        return ("excluded subtree violation");

    case X509_V_ERR_SUBTREE_MINMAX:

        return ("name constraints minimum and maximum not supported");

    case X509_V_ERR_APPLICATION_VERIFICATION:

        return ("application verification failure");

    case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:

        return ("unsupported name constraint type");

    case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:

crypto/x509/x509_vfy.c

+1 −10
Original line number Diff line number Diff line
@@ -318,16 +318,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) 
        }

    }



    if (ret == X509_V_OK)

        return 1;

    /* If we haven't asked for issuer errors don't set ctx */

    if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))

        return 0;



    ctx->error = ret;

    ctx->current_cert = x;

    ctx->current_issuer = issuer;

    return ctx->verify_cb(0, ctx);

    return (ret == X509_V_OK);

}



/* Alternative lookup method: look from a STACK stored in other_ctx */

doc/apps/cms.pod

+5 −6
Original line number Diff line number Diff line
@@ -47,7 +47,6 @@ B<openssl> B<cms> 
[B<-ignore_critical>]

[B<-inhibit_any>]

[B<-inhibit_map>]

[B<-issuer_checks>]

[B<-partial_chain>]

[B<-policy arg>]

[B<-policy_check>]
@@ -472,12 +471,12 @@ then many S/MIME mail clients check the signers certificate's email 
address matches that specified in the From: address.



=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,

B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,

B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,

B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,

B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,

B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,

B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,

B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,

B<-verify_ip>, B<-verify_name>, B<-x509_strict>

B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,

B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,

B<-verify_name>, B<-x509_strict>



Set various certificate chain validation options. See the

L<verify(1)> manual page for details.