Loading CHANGES +4 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,10 @@ Changes between 1.0.0 and 1.1.0 [xx XXX xxxx] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. [Steve Henson] *) Initial experimental support for explicitly trusted non-root CAs. OpenSSL still tries to build a complete chain to a root but if an intermediate CA has a trust setting included that is used. The first Loading apps/apps.c +2 −0 Original line number Diff line number Diff line Loading @@ -2333,6 +2333,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else if (!strcmp(arg, "-trusted_first")) flags |= X509_V_FLAG_TRUSTED_FIRST; else return 0; Loading crypto/x509/x509_vfy.c +15 −0 Original line number Diff line number Diff line Loading @@ -215,6 +215,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If we are self signed, we break */ if (cert_self_signed(x)) break; /* If asked see if we can find issuer in trusted store first */ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { ok = ctx->get_issuer(&xtmp, ctx, x); if (ok < 0) return ok; /* If successful for now free up cert so it * will be picked up again later. */ if (ok > 0) { X509_free(xtmp); break; } } /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) Loading crypto/x509/x509_vfy.h +2 −0 Original line number Diff line number Diff line Loading @@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 /* Use trusted store first */ #define X509_V_FLAG_TRUSTED_FIRST 0x8000 #define X509_VP_FLAG_DEFAULT 0x1 Loading Loading
CHANGES +4 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,10 @@ Changes between 1.0.0 and 1.1.0 [xx XXX xxxx] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. [Steve Henson] *) Initial experimental support for explicitly trusted non-root CAs. OpenSSL still tries to build a complete chain to a root but if an intermediate CA has a trust setting included that is used. The first Loading
apps/apps.c +2 −0 Original line number Diff line number Diff line Loading @@ -2333,6 +2333,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else if (!strcmp(arg, "-trusted_first")) flags |= X509_V_FLAG_TRUSTED_FIRST; else return 0; Loading
crypto/x509/x509_vfy.c +15 −0 Original line number Diff line number Diff line Loading @@ -215,6 +215,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If we are self signed, we break */ if (cert_self_signed(x)) break; /* If asked see if we can find issuer in trusted store first */ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { ok = ctx->get_issuer(&xtmp, ctx, x); if (ok < 0) return ok; /* If successful for now free up cert so it * will be picked up again later. */ if (ok > 0) { X509_free(xtmp); break; } } /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) Loading
crypto/x509/x509_vfy.h +2 −0 Original line number Diff line number Diff line Loading @@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 /* Use trusted store first */ #define X509_V_FLAG_TRUSTED_FIRST 0x8000 #define X509_VP_FLAG_DEFAULT 0x1 Loading
