diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-27 22:43:23 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-29 10:53:46 -0500 |
commit | aea6116146ef462d11950ebf701e0f56a38b3d75 (patch) | |
tree | 810de6d4e9c918d69c0b8e7a6d2220191c3704e9 /crypto/x509 | |
parent | d8ca44ba4158a9dafeaa30d3cba6f113904d2aa6 (diff) |
Make it possible to check for explicit auxiliary trust
By default X509_check_trust() trusts self-signed certificates from
the trust store that have no explicit local trust/reject oids
encapsulated as a "TRUSTED CERTIFICATE" object. (See the -addtrust
and -trustout options of x509(1)).
This commit adds a flag that makes it possible to distinguish between
that implicit trust, and explicit auxiliary settings.
With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted
via explicit trust settings.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_trs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 72c8110313..7392c55953 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -285,7 +285,7 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags) { /* Call for side-effect of computing hash and caching extensions */ X509_check_purpose(x, -1, 0); - if (x->ex_flags & EXFLAG_SS) + if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS) return X509_TRUST_TRUSTED; else return X509_TRUST_UNTRUSTED; |