diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-28 03:01:45 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-31 21:23:23 -0500 |
commit | 0daccd4dc1f1ac62181738a91714f35472e50f3c (patch) | |
tree | 5b7c2b6c5db0c2caf223ea978db03559b5eb90f8 /apps | |
parent | 1b4cf96f9b82ec3b06e7902bb21620a09cadd94e (diff) |
Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).
Added tests and updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'apps')
-rw-r--r-- | apps/opt.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/apps/opt.c b/apps/opt.c index 14e05de023..2fbc9fe8b2 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -496,14 +496,25 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) X509_VERIFY_PARAM_add0_policy(vpm, otmp); break; case OPT_V_PURPOSE: + /* purpose name -> purpose index */ i = X509_PURPOSE_get_by_sname(opt_arg()); if (i < 0) { BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg()); return 0; } + + /* purpose index -> purpose object */ xptmp = X509_PURPOSE_get0(i); + + /* purpose object -> purpose value */ i = X509_PURPOSE_get_id(xptmp); - X509_VERIFY_PARAM_set_purpose(vpm, i); + + if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) { + BIO_printf(bio_err, + "%s: Internal error setting purpose %s\n", + prog, opt_arg()); + return 0; + } break; case OPT_V_VERIFY_NAME: vtmp = X509_VERIFY_PARAM_lookup(opt_arg()); |