New options to the -verify program which can be used for chain verification.

Extend the X509_PURPOSE structure to include shortnames for purposed and default
trust ids.

Still need some extendable trust checking code and integration with the SSL and
S/MIME code.

1 files changed, 11 insertions, 5 deletions

diff --git a/CHANGES b/CHANGES
index 493f7e626b..5aaed4a82b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,15 +7,21 @@
   *) Very preliminary certificate chain verify code. Currently just tests
      the untrusted certificates for consistency with the verify purpose
      (which is set when the X509_STORE_CTX structure is set up) and checks
-     the pathlength. Totally untested at present: needs some extra
-     functionality in the verify program first. There is a
-     NO_CHAIN_VERIFY compilation option to keep the old behaviour: this is
-     because when it is finally working it will reject chains with
-     invalid extensions whereas before it made no checks at all.
+     the pathlength. There is a NO_CHAIN_VERIFY compilation option to keep
+     the old behaviour: this is because when it is finally working it will
+     reject chains with invalid extensions whereas before it made no checks
+     at all.
+
+     Still needs some trust checking code.
 
      Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
      which should be used for version portability: especially since the
      verify structure is likely to change more often now.
+
+     Two new options to the verify program: -untrusted allows a set of
+     untrusted certificates to be passed in and -purpose which sets the
+     intended purpose of the certificate. If a purpose is set then the
+     new chain verify code is used to check extension consistency.
      [Steve Henson]
 
   *) Support for the authority information access extension.