Add -no_alt_chains option to apps to implement the new

X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-01-27 10:50:38 +0000
committer: Matt Caswell <matt@openssl.org> 2015-02-25 09:15:02 +0000
commit: 25690b7f5f3d78a52c1377b823b40c6a0e12022b (patch)
tree: 7ec3978b77d913ea6b4af6a3da6efb4acaf1e0cc /apps
parent: 15dba5be6a4482a9ad7e5b846291f31e97e338ca (diff)
7 files changed, 13 insertions, 1 deletions
diff --git a/apps/apps.c b/apps/apps.c
index bf044d40f8..8412e24687 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2362,6 +2362,8 @@ int args_verify(char ***pargs, int *pargc,
         flags |= X509_V_FLAG_SUITEB_192_LOS;
     else if (!strcmp(arg, "-partial_chain"))
         flags |= X509_V_FLAG_PARTIAL_CHAIN;
+    else if (!strcmp(arg, "-no_alt_chains"))
+        flags |= X509_V_FLAG_NO_ALT_CHAINS;
     else
         return 0;
 
diff --git a/apps/cms.c b/apps/cms.c
index fbb5607398..479d1dddf2 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-trusted_first use locally trusted certificates first when building trust chain\n");
         BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
                    "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 4b9d6f6b33..b0b3069676 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -538,6 +538,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-trusted_first       use locally trusted CA's first when building trust chain\n");
         BIO_printf(bio_err,
+                   "-no_alt_chains       only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
                    "-VAfile file         validator certificates file\n");
         BIO_printf(bio_err,
                    "-validity_period n   maximum validity discrepancy in seconds\n");
diff --git a/apps/s_client.c b/apps/s_client.c
index 1607c6e438..bc82239f1b 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -321,6 +321,8 @@ static void sc_usage(void)
     BIO_printf(bio_err,
                " -trusted_first - Use local CA's first when building trust chain\n");
     BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
+    BIO_printf(bio_err,
                " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
     BIO_printf(bio_err,
                " -pause        - sleep(1) after each read(2) and write(2) system call\n");
diff --git a/apps/s_server.c b/apps/s_server.c
index 573bc873bf..4311d6d6fb 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -509,6 +509,8 @@ static void sv_usage(void)
     BIO_printf(bio_err,
                " -trusted_first - Use locally trusted CA's first when building trust chain\n");
     BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
+    BIO_printf(bio_err,
                " -nocert       - Don't use any certificates (Anon-DH)\n");
     BIO_printf(bio_err,
                " -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
diff --git a/apps/smime.c b/apps/smime.c
index 5efe51f7d7..930978fd9b 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -444,6 +444,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-trusted_first use locally trusted CA's first when building trust chain\n");
         BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
+        BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
                    "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
diff --git a/apps/verify.c b/apps/verify.c
index 8f963f86c2..e771be22d2 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -236,7 +236,7 @@ int MAIN(int argc, char **argv)
  end:
     if (ret == 1) {
         BIO_printf(bio_err,
-                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check] [-no_alt_chains]");
 #ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err, " [-engine e]");
 #endif
author	Matt Caswell <matt@openssl.org>	2015-01-27 10:50:38 +0000
committer	Matt Caswell <matt@openssl.org>	2015-02-25 09:15:02 +0000
commit	25690b7f5f3d78a52c1377b823b40c6a0e12022b (patch)
tree	7ec3978b77d913ea6b4af6a3da6efb4acaf1e0cc /apps
parent	15dba5be6a4482a9ad7e5b846291f31e97e338ca (diff)