Add -no_alt_chains option to apps to implement the new X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c

7 files changed, 13 insertions, 1 deletions

diff --git a/apps/apps.c b/apps/apps.c
index 5b7aedccde..6801238348 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2238,6 +2238,8 @@ int args_verify(char ***pargs, int *pargc,
         flags |= X509_V_FLAG_NOTIFY_POLICY;
     else if (!strcmp(arg, "-check_ss_sig"))
         flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+    else if (!strcmp(arg, "-no_alt_chains"))
+        flags |= X509_V_FLAG_NO_ALT_CHAINS;
     else
         return 0;
 
diff --git a/apps/cms.c b/apps/cms.c
index 0cc4b46d8e..d7645c0d62 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -581,6 +581,8 @@ int MAIN(int argc, char **argv)
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
         BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
                    "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 71def2611a..572f0643e1 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -519,6 +519,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-CAfile file         trusted certificates file\n");
         BIO_printf(bio_err,
+                   "-no_alt_chains       only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
                    "-VAfile file         validator certificates file\n");
         BIO_printf(bio_err,
                    "-validity_period n   maximum validity discrepancy in seconds\n");
diff --git a/apps/s_client.c b/apps/s_client.c
index b9b79756a3..28737b6d1e 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -323,6 +323,8 @@ static void sc_usage(void)
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
     BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
+    BIO_printf(bio_err,
                " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
     BIO_printf(bio_err,
                " -pause        - sleep(1) after each read(2) and write(2) system call\n");
diff --git a/apps/s_server.c b/apps/s_server.c
index 7e501d21b9..b58e5e07c4 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -541,6 +541,8 @@ static void sv_usage(void)
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
     BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
+    BIO_printf(bio_err,
                " -nocert       - Don't use any certificates (Anon-DH)\n");
     BIO_printf(bio_err,
                " -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
diff --git a/apps/smime.c b/apps/smime.c
index 7b351f601c..53e43c5e73 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
         BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
                    "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
diff --git a/apps/verify.c b/apps/verify.c
index 7295c769f3..e29f9bb7e0 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -227,7 +227,7 @@ int MAIN(int argc, char **argv)
     if (ret == 1) {
         BIO_printf(bio_err,
                    "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
-        BIO_printf(bio_err, " [-attime timestamp]");
+        BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
 #ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err, " [-engine e]");
 #endif