Allow proxy certs to be present when verifying a chain

Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
author: Richard Levitte <levitte@openssl.org> 2016-06-19 10:55:43 +0200
committer: Richard Levitte <levitte@openssl.org> 2016-06-20 21:34:37 +0200
commit: a392ef20f0a9fedc811b6a06bf50ff3f151e266f (patch)
tree: fb2b07384737b8c961a0fdcfc5467ec871424e24 /apps
parent: ed17c7c146a79100bfba5609c3889bddb14f74a2 (diff)
3 files changed, 9 insertions, 3 deletions
diff --git a/apps/apps.h b/apps/apps.h
index 616f1840c0..319b02ef19 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -85,7 +85,7 @@ int has_stdin_waiting(void);
         OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
         OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
         OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
-        OPT_V_VERIFY_AUTH_LEVEL, \
+        OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
         OPT_V__LAST
 
 # define OPT_V_OPTIONS \
@@ -135,7 +135,8 @@ int has_stdin_waiting(void);
         { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
             "accept chains anchored by intermediate trust-store CAs"}, \
         { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
-        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \
+        { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" }
 
 # define OPT_V_CASES \
         OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -167,7 +168,8 @@ int has_stdin_waiting(void);
         case OPT_V_SUITEB_192: \
         case OPT_V_PARTIAL_CHAIN: \
         case OPT_V_NO_ALT_CHAINS: \
-        case OPT_V_NO_CHECK_TIME
+        case OPT_V_NO_CHECK_TIME: \
+        case OPT_V_ALLOW_PROXY_CERTS
 
 /*
  * Common "extended"? options.
diff --git a/apps/opt.c b/apps/opt.c
index d694fe15f2..f72ac64ec7 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -580,6 +580,9 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
     case OPT_V_NO_CHECK_TIME:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
         break;
+    case OPT_V_ALLOW_PROXY_CERTS:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_ALLOW_PROXY_CERTS);
+        break;
     }
     return 1;
 
diff --git a/apps/verify.c b/apps/verify.c
index 86d1b2a851..40e19d45dc 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -214,6 +214,7 @@ static int check(X509_STORE *ctx, char *file,
                (file == NULL) ? "stdin" : file);
         goto end;
     }
+
     X509_STORE_set_flags(ctx, vflags);
     if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
         printf("error %s: X.509 store context initialization failed\n",
author	Richard Levitte <levitte@openssl.org>	2016-06-19 10:55:43 +0200
committer	Richard Levitte <levitte@openssl.org>	2016-06-20 21:34:37 +0200
commit	a392ef20f0a9fedc811b6a06bf50ff3f151e266f (patch)
tree	fb2b07384737b8c961a0fdcfc5467ec871424e24 /apps
parent	ed17c7c146a79100bfba5609c3889bddb14f74a2 (diff)