diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-23 23:29:04 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-06-08 07:47:41 +0200 |
commit | f9ac6f6956a23bd89e1d6bc9b5dcbb3df06544a1 (patch) | |
tree | 3d39b5da0d82fa15ba4ce516ab84897e5923225a /crypto | |
parent | 2576b9c31c66aabd2464a2c404a15421208607eb (diff) |
Improve the documentation of cert path building and validation
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/x509/v3_purp.c | 8 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 3 |
2 files changed, 6 insertions, 5 deletions
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index bcec4194fa..a6ebbd5f94 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -894,10 +894,10 @@ static int no_check_purpose(const X509_PURPOSE *xp, const X509 *x, * This can be used to prune a set of possible issuer certificates which * have been looked up using some simple method such as by subject name. * These are: - * 1. Check issuer_name(subject) == subject_name(issuer) - * 2. If akid(subject) exists, check that it matches issuer - * 3. Check that issuer public key algorithm matches subject signature algorithm - * 4. Check that any key_usage(issuer) allows certificate signing + * 1. issuer_name(subject) == subject_name(issuer) + * 2. If akid(subject) exists, it matches the respective issuer fields. + * 3. subject signature algorithm == issuer public key algorithm + * 4. If key_usage(issuer) exists, it allows for signing subject. * Note that this does not include actually checking the signature. * Returns 0 for OK, or positive for reason for mismatch * where reason codes match those for X509_verify_cert(). diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 01e5f2c59b..f020d4864d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3007,7 +3007,8 @@ static int build_chain(X509_STORE_CTX *ctx) #define S_DOTRUSTED (1 << 1) /* Search trusted store */ #define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */ /* - * Set up search policy, untrusted if possible, trusted-first if enabled. + * Set up search policy, untrusted if possible, trusted-first if enabled, + * which is the default. * If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the * trust_store, otherwise we might look there first. If not trusted-first, * and alternate chains are not disabled, try building an alternate chain |