Check chain extensions also for trusted certificates

This includes basic constraints, key usages, issuer EKUs and auxiliary trust OIDs (given a trust suitably related to the intended purpose). Added tests and updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-28 03:01:45 -0500
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-31 21:23:23 -0500
commit: 0daccd4dc1f1ac62181738a91714f35472e50f3c (patch)
tree: 5b7c2b6c5db0c2caf223ea978db03559b5eb90f8 /apps
parent: 1b4cf96f9b82ec3b06e7902bb21620a09cadd94e (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/apps/opt.c b/apps/opt.c
index 14e05de023..2fbc9fe8b2 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -496,14 +496,25 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
         X509_VERIFY_PARAM_add0_policy(vpm, otmp);
         break;
     case OPT_V_PURPOSE:
+        /* purpose name -> purpose index */
         i = X509_PURPOSE_get_by_sname(opt_arg());
         if (i < 0) {
             BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
             return 0;
         }
+
+        /* purpose index -> purpose object */
         xptmp = X509_PURPOSE_get0(i);
+
+        /* purpose object -> purpose value */
         i = X509_PURPOSE_get_id(xptmp);
-        X509_VERIFY_PARAM_set_purpose(vpm, i);
+
+        if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) {
+            BIO_printf(bio_err,
+                       "%s: Internal error setting purpose %s\n",
+                       prog, opt_arg());
+            return 0;
+        }
         break;
     case OPT_V_VERIFY_NAME:
         vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-28 03:01:45 -0500
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-31 21:23:23 -0500
commit	0daccd4dc1f1ac62181738a91714f35472e50f3c (patch)
tree	5b7c2b6c5db0c2caf223ea978db03559b5eb90f8 /apps
parent	1b4cf96f9b82ec3b06e7902bb21620a09cadd94e (diff)