Reject certificates with unhandled critical extensions.

author: Dr. Stephen Henson <steve@openssl.org> 2001-10-21 02:09:15 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2001-10-21 02:09:15 +0000
commit: f1558bb4243d83781793ed758367bd71d0983a35 (patch)
tree: e1971f6bf6360b9cd2e1fad6ad8f77ed4b916063 /apps/verify.c
parent: 6ca487992bc63d45f9780c6b83eecf025830e34b (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/apps/verify.c b/apps/verify.c
index d4bf0693c8..255bf5ad28 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -146,6 +146,8 @@ int MAIN(int argc, char **argv)
 				}
 			else if (strcmp(*argv,"-help") == 0)
 				goto end;
+			else if (strcmp(*argv,"-ignore_critical") == 0)
+				vflags |= X509_V_FLAG_IGNORE_CRITICAL;
 			else if (strcmp(*argv,"-issuer_checks") == 0)
 				vflags |= X509_V_FLAG_CB_ISSUER_CHECK;
 			else if (strcmp(*argv,"-crl_check") == 0)
@@ -343,6 +345,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
 		if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1;
 		if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1;
+		if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1;
 		}
 	if (!v_verbose)
 		ERR_clear_error();
author	Dr. Stephen Henson <steve@openssl.org>	2001-10-21 02:09:15 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2001-10-21 02:09:15 +0000
commit	f1558bb4243d83781793ed758367bd71d0983a35 (patch)
tree	e1971f6bf6360b9cd2e1fad6ad8f77ed4b916063 /apps/verify.c
parent	6ca487992bc63d45f9780c6b83eecf025830e34b (diff)