diff options
Diffstat (limited to 'apps/verify.c')
-rw-r--r-- | apps/verify.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/apps/verify.c b/apps/verify.c index 9a226f0360..ba4a8c283d 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -356,13 +356,28 @@ static int cb(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_INVALID_CA: case X509_V_ERR_INVALID_NON_CA: case X509_V_ERR_PATH_LENGTH_EXCEEDED: - case X509_V_ERR_INVALID_PURPOSE: case X509_V_ERR_CRL_HAS_EXPIRED: case X509_V_ERR_CRL_NOT_YET_VALID: case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: + /* errors due to strict conformance checking (-x509_strict) */ + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA: + case X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN: + case X509_V_ERR_CA_BCONS_NOT_CRITICAL: + case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE: + case X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA: + case X509_V_ERR_ISSUER_NAME_EMPTY: + case X509_V_ERR_SUBJECT_NAME_EMPTY: + case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL: + case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME: + case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: + case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL: + case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL: + case X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER: + case X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER: + case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3: ok = 1; } - return ok; } |