Remove restriction to only cross-sign self-signed certificates

CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21137)
author: Yannik Sembritzki <yannik@sembritzki.org> 2023-05-29 14:04:38 +0000
committer: Pauli <pauli@openssl.org> 2023-06-20 16:38:33 +1000
commit: 7f4cc3bc34e2fc1acf2abf1f2d791855c446c611 (patch)
tree: 6ecca8f5edd7a8d6eb471d5889dc8153a1515011 /apps
parent: 6b1f763c698cd9967250dacb1aadca6a6a9e9afe (diff)
1 files changed, 3 insertions, 10 deletions
diff --git a/apps/x509.c b/apps/x509.c
index 35f788c6dd..bd19cbd551 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1149,16 +1149,7 @@ static int callb(int ok, X509_STORE_CTX *ctx)
     if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
         return 1;
 
-    /*
-     * BAD we should have gotten an error.  Normally if everything worked
-     * X509_STORE_CTX_get_error(ctx) will still be set to
-     * DEPTH_ZERO_SELF_....
-     */
-    if (ok) {
-        BIO_printf(bio_err,
-                   "Error with certificate to be certified - should be self-signed\n");
-        return 0;
-    } else {
+    if (!ok) {
         err_cert = X509_STORE_CTX_get_current_cert(ctx);
         print_name(bio_err, "subject=", X509_get_subject_name(err_cert));
         BIO_printf(bio_err,
@@ -1167,6 +1158,8 @@ static int callb(int ok, X509_STORE_CTX *ctx)
                    X509_verify_cert_error_string(err));
         return 1;
     }
+
+    return 1;
 }
 
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
author	Yannik Sembritzki <yannik@sembritzki.org>	2023-05-29 14:04:38 +0000
committer	Pauli <pauli@openssl.org>	2023-06-20 16:38:33 +1000
commit	7f4cc3bc34e2fc1acf2abf1f2d791855c446c611 (patch)
tree	6ecca8f5edd7a8d6eb471d5889dc8153a1515011 /apps
parent	6b1f763c698cd9967250dacb1aadca6a6a9e9afe (diff)