diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-03 23:04:48 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-05 20:11:43 +0200 |
| commit | 076bf8c2c972d01a70ca4146e637dfbe6f35b2fb (patch) | |
| tree | 31e80fa011ec33d98582201a1c7e99764a0c30e6 | |
| parent | 0b86eefd431dd05a0ba87b2f67a6b99def89b6d5 (diff) | |
X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12787)
| -rw-r--r-- | crypto/x509/t_x509.c | 21 | ||||
| -rw-r--r-- | crypto/x509/v3_prn.c | 7 | ||||
| -rw-r--r-- | include/openssl/x509.h | 1 |
3 files changed, 22 insertions, 7 deletions
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 199f88857b..f0240f12c3 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -200,9 +200,10 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, } } - if (!(cflag & X509_FLAG_NO_EXTENSIONS)) - X509V3_extensions_print(bp, "X509v3 extensions", - X509_get0_extensions(x), cflag, 8); + if (!(cflag & X509_FLAG_NO_EXTENSIONS) + && !X509V3_extensions_print(bp, "X509v3 extensions", + X509_get0_extensions(x), cflag, 8)) + goto err; if (!(cflag & X509_FLAG_NO_SIGDUMP)) { const X509_ALGOR *sig_alg; @@ -415,7 +416,8 @@ int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags) if (X509_cmp_current_time(X509_get0_notAfter(cert)) < 0) if (BIO_printf(bio, " no more valid\n") <= 0) return 0; - return X509_print_ex(bio, cert, flags, ~(neg_cflags)); + return X509_print_ex(bio, cert, flags, + ~neg_cflags & ~X509_FLAG_EXTENSIONS_ONLY_KID); } static int print_certs(BIO *bio, const STACK_OF(X509) *certs) @@ -427,8 +429,15 @@ static int print_certs(BIO *bio, const STACK_OF(X509) *certs) for (i = 0; i < sk_X509_num(certs); i++) { X509 *cert = sk_X509_value(certs, i); - if (cert != NULL && !x509_print_ex_brief(bio, cert, 0)) - return 0; + + if (cert != NULL) { + if (!x509_print_ex_brief(bio, cert, 0)) + return 0; + if (!X509V3_extensions_print(bio, NULL, + X509_get0_extensions(cert), + X509_FLAG_EXTENSIONS_ONLY_KID, 8)) + return 0; + } } return 1; } diff --git a/crypto/x509/v3_prn.c b/crypto/x509/v3_prn.c index aa902204f0..4b2ad2685b 100644 --- a/crypto/x509/v3_prn.c +++ b/crypto/x509/v3_prn.c @@ -156,10 +156,15 @@ int X509V3_extensions_print(BIO *bp, const char *title, for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { ASN1_OBJECT *obj; X509_EXTENSION *ex; + ex = sk_X509_EXTENSION_value(exts, i); + obj = X509_EXTENSION_get_object(ex); + if ((flag & X509_FLAG_EXTENSIONS_ONLY_KID) != 0 + && OBJ_obj2nid(obj) != NID_subject_key_identifier + && OBJ_obj2nid(obj) != NID_authority_key_identifier) + continue; if (indent && BIO_printf(bp, "%*s", indent, "") <= 0) return 0; - obj = X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bp, obj); j = X509_EXTENSION_get_critical(ex); if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0) diff --git a/include/openssl/x509.h b/include/openssl/x509.h index d243fda94c..bbe2d62cf9 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -159,6 +159,7 @@ DEFINE_OR_DECLARE_STACK_OF(X509_TRUST) # define X509_FLAG_NO_AUX (1L << 10) # define X509_FLAG_NO_ATTRIBUTES (1L << 11) # define X509_FLAG_NO_IDS (1L << 12) +# define X509_FLAG_EXTENSIONS_ONLY_KID (1L << 13) /* Flags specific to X509_NAME_print_ex() */ |