diff options
| -rw-r--r-- | apps/apps.h | 8 | ||||
| -rw-r--r-- | apps/opt.c | 3 | ||||
| -rw-r--r-- | apps/verify.c | 1 | ||||
| -rw-r--r-- | doc/apps/verify.pod | 12 |
4 files changed, 20 insertions, 4 deletions
diff --git a/apps/apps.h b/apps/apps.h index 616f1840c0..319b02ef19 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -85,7 +85,7 @@ int has_stdin_waiting(void); OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \ OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \ OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \ - OPT_V_VERIFY_AUTH_LEVEL, \ + OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \ OPT_V__LAST # define OPT_V_OPTIONS \ @@ -135,7 +135,8 @@ int has_stdin_waiting(void); { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \ "accept chains anchored by intermediate trust-store CAs"}, \ { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \ - { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" } + { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \ + { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" } # define OPT_V_CASES \ OPT_V__FIRST: case OPT_V__LAST: break; \ @@ -167,7 +168,8 @@ int has_stdin_waiting(void); case OPT_V_SUITEB_192: \ case OPT_V_PARTIAL_CHAIN: \ case OPT_V_NO_ALT_CHAINS: \ - case OPT_V_NO_CHECK_TIME + case OPT_V_NO_CHECK_TIME: \ + case OPT_V_ALLOW_PROXY_CERTS /* * Common "extended"? options. diff --git a/apps/opt.c b/apps/opt.c index d694fe15f2..f72ac64ec7 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -580,6 +580,9 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) case OPT_V_NO_CHECK_TIME: X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME); break; + case OPT_V_ALLOW_PROXY_CERTS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_ALLOW_PROXY_CERTS); + break; } return 1; diff --git a/apps/verify.c b/apps/verify.c index 86d1b2a851..40e19d45dc 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -214,6 +214,7 @@ static int check(X509_STORE *ctx, char *file, (file == NULL) ? "stdin" : file); goto end; } + X509_STORE_set_flags(ctx, vflags); if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { printf("error %s: X.509 store context initialization failed\n", diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 051cd624f1..0fd1799af2 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -12,6 +12,7 @@ B<openssl> B<verify> [B<-CApath directory>] [B<-no-CAfile>] [B<-no-CApath>] +[B<-allow_proxy_certs>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-CRLfile file>] @@ -83,6 +84,10 @@ Do not load the trusted CA certificates from the default file location Do not load the trusted CA certificates from the default directory location +=item B<-allow_proxy_certs> + +Allow the verification of proxy certificates + =item B<-attime timestamp> Perform validation checks using time specified by B<timestamp> and not @@ -564,13 +569,18 @@ Invalid non-CA certificate has CA markings. Proxy path length constraint exceeded. +=item B<X509_V_ERR_PROXY_SUBJECT_INVALID> + +Proxy certificate subject is invalid. It MUST be the same as the issuer +with a single CN component added. + =item B<X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE> Key usage does not include digital signature. =item B<X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED> -Proxy certificates not allowed, please set the appropriate flag. +Proxy certificates not allowed, please use B<-allow_proxy_certs>. =item B<X509_V_ERR_INVALID_EXTENSION> |