diff options
| author | Rich Salz <rsalz@akamai.com> | 2015-07-09 14:54:13 -0400 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2015-07-14 07:46:20 -0400 |
| commit | 5b89036c41a009a76cd0e1595dde5001ae157972 (patch) | |
| tree | adf1d29e8b504cc62a6cf17c9c28216ca7af9ea9 | |
| parent | e5c0bc6cc49a23b50a272801c4bd53639c25fca4 (diff) | |
Can't use -trusted with -CA{path,file}
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
| -rw-r--r-- | apps/verify.c | 8 | ||||
| -rw-r--r-- | doc/apps/verify.pod | 12 |
2 files changed, 15 insertions, 5 deletions
diff --git a/apps/verify.c b/apps/verify.c index a823d58a75..7fcd32a404 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -88,7 +88,7 @@ OPTIONS verify_options[] = { {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"}, {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"}, - {"trusted", OPT_TRUSTED, '<', "A file of additional trusted certificates"}, + {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"}, {"CRLfile", OPT_CRLFILE, '<', "File containing one or more CRL's (in PEM format) to load"}, {"crl_download", OPT_CRL_DOWNLOAD, '-', @@ -180,6 +180,12 @@ int verify_main(int argc, char **argv) } argc = opt_num_rest(); argv = opt_rest(); + if (trustfile && (CAfile || CApath)) { + BIO_printf(bio_err, + "%s: Cannot use -trusted with -CAfile or -CApath\n", + prog); + goto end; + } if (!app_load_modules(NULL)) goto end; diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 9cc7fcb817..b1253da740 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -182,13 +182,17 @@ behaviour to match that of OpenSSL versions prior to 1.1.0. =item B<-untrusted file> -A file of untrusted certificates. The file should contain multiple certificates -in PEM format concatenated together. +A file of untrusted certificates. The file should contain one or more +certificates in PEM format. =item B<-trusted file> -A file of additional trusted certificates. The file should contain multiple -certificates in PEM format concatenated together. +A file of trusted certificates. The file contain one or more +certificates in PEM format. +With this option, no additional (e.g., default) certificate lists +are consulted. That is, the only trusted issuers are those listed +in B<file>. +This option cannot be used with the B<-CAfile> or B<-CApath> options. =item B<-use_deltas> |