diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-02-09 14:17:13 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-02-10 12:34:06 -0500 |
commit | d33def662443c4b534c6b261a3b01f3960339c78 (patch) | |
tree | 4e95fd943d9df02700d60d5dbb493a6a2d4dec05 /crypto | |
parent | 056be06b4dfd7eaf7914febd043e9b446e1ed772 (diff) |
Deprecate the -issuer_checks debugging option
This was a developer debugging feature and was never a useful public
interface.
Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.
Sorted the errors in x509_txt.c by error number.
Reviewed-by: Stephen Henson <steve@openssl.org>
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/x509/x509_txt.c | 27 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 11 |
2 files changed, 14 insertions, 24 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 884c3afdd4..f7f27e97ef 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -90,10 +90,10 @@ const char *X509_verify_cert_error_string(long n) return ("CRL signature failure"); case X509_V_ERR_CERT_NOT_YET_VALID: return ("certificate is not yet valid"); - case X509_V_ERR_CRL_NOT_YET_VALID: - return ("CRL is not yet valid"); case X509_V_ERR_CERT_HAS_EXPIRED: return ("certificate has expired"); + case X509_V_ERR_CRL_NOT_YET_VALID: + return ("CRL is not yet valid"); case X509_V_ERR_CRL_HAS_EXPIRED: return ("CRL has expired"); case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: @@ -120,23 +120,14 @@ const char *X509_verify_cert_error_string(long n) return ("certificate revoked"); case X509_V_ERR_INVALID_CA: return ("invalid CA certificate"); - case X509_V_ERR_INVALID_NON_CA: - return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); - case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: - return ("proxy path length constraint exceeded"); - case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: - return - ("proxy certificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: return ("certificate not trusted"); case X509_V_ERR_CERT_REJECTED: return ("certificate rejected"); - case X509_V_ERR_APPLICATION_VERIFICATION: - return ("application verification failure"); case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: return ("subject issuer mismatch"); case X509_V_ERR_AKID_SKID_MISMATCH: @@ -151,10 +142,17 @@ const char *X509_verify_cert_error_string(long n) return ("unhandled critical extension"); case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return ("key usage does not include CRL signing"); - case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: - return ("key usage does not include digital signature"); case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: return ("unhandled critical CRL extension"); + case X509_V_ERR_INVALID_NON_CA: + return ("invalid non-CA certificate (has CA markings)"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return ("proxy path length constraint exceeded"); + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return ("key usage does not include digital signature"); + case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + return + ("proxy certificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_EXTENSION: return ("invalid or inconsistent certificate extension"); case X509_V_ERR_INVALID_POLICY_EXTENSION: @@ -167,13 +165,14 @@ const char *X509_verify_cert_error_string(long n) return ("Unsupported extension feature"); case X509_V_ERR_UNNESTED_RESOURCE: return ("RFC 3779 resource not subset of parent's resources"); - case X509_V_ERR_PERMITTED_VIOLATION: return ("permitted subtree violation"); case X509_V_ERR_EXCLUDED_VIOLATION: return ("excluded subtree violation"); case X509_V_ERR_SUBTREE_MINMAX: return ("name constraints minimum and maximum not supported"); + case X509_V_ERR_APPLICATION_VERIFICATION: + return ("application verification failure"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: return ("unsupported name constraint type"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f8b9b503ac..ae07f37f36 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -318,16 +318,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) } } - if (ret == X509_V_OK) - return 1; - /* If we haven't asked for issuer errors don't set ctx */ - if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) - return 0; - - ctx->error = ret; - ctx->current_cert = x; - ctx->current_issuer = issuer; - return ctx->verify_cb(0, ctx); + return (ret == X509_V_OK); } /* Alternative lookup method: look from a STACK stored in other_ctx */ |