From feb2f53edc7e9b96cfe9c0ab611461edabdd2b34 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Sat, 16 Jan 2016 01:15:02 -0500
Subject: Multiple -trusted/-untrusted/-CRLfile options in verify

It is sometimes useful (especially in automated tests) to supply
multiple trusted or untrusted certificates via separate files rather
than have to prepare a single file containing them all.

To that end, change verify(1) to accept these options zero or more
times.  Also automatically set -no-CAfile and -no-CApath when
-trusted is specified.

Improve verify(1) documentation, which could still use some work.

Reviewed-by: Richard Levitte <levitte@openssl.org>
---
 apps/verify.c | 38 ++++++++++++++++----------------------
 1 file changed, 16 insertions(+), 22 deletions(-)

(limited to 'apps')

diff --git a/apps/verify.c b/apps/verify.c
index 183579c06d..158504464b 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -115,7 +115,6 @@ int verify_main(int argc, char **argv)
     X509_VERIFY_PARAM *vpm = NULL;
     char *prog, *CApath = NULL, *CAfile = NULL;
     int noCApath = 0, noCAfile = 0;
-    char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
     int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
     OPTION_CHOICE o;
 
@@ -167,13 +166,24 @@ int verify_main(int argc, char **argv)
             noCAfile = 1;
             break;
         case OPT_UNTRUSTED:
-            untfile = opt_arg();
+            /* Zero or more times */
+            if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL, e,
+                            "untrusted certificates"))
+                goto end;
             break;
         case OPT_TRUSTED:
-            trustfile = opt_arg();
+            /* Zero or more times */
+            noCAfile = 1;
+            noCApath = 1;
+            if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL, e,
+                            "trusted certificates"))
+                goto end;
             break;
         case OPT_CRLFILE:
-            crlfile = opt_arg();
+            /* Zero or more times */
+            if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL, e,
+                           "other CRLs"))
+                goto end;
             break;
         case OPT_CRL_DOWNLOAD:
             crl_download = 1;
@@ -182,6 +192,7 @@ int verify_main(int argc, char **argv)
             show_chain = 1;
             break;
         case OPT_ENGINE:
+            /* Specify *before* -trusted/-untrusted/-CRLfile */
             e = setup_engine(opt_arg(), 0);
             break;
         case OPT_VERBOSE:
@@ -191,7 +202,7 @@ int verify_main(int argc, char **argv)
     }
     argc = opt_num_rest();
     argv = opt_rest();
-    if (trustfile && (CAfile || CApath)) {
+    if (trusted != NULL && (CAfile || CApath)) {
         BIO_printf(bio_err,
                    "%s: Cannot use -trusted with -CAfile or -CApath\n",
                    prog);
@@ -207,23 +218,6 @@ int verify_main(int argc, char **argv)
 
     ERR_clear_error();
 
-    if (untfile) {
-        if (!load_certs(untfile, &untrusted, FORMAT_PEM, NULL, e,
-                        "untrusted certificates"))
-            goto end;
-    }
-
-    if (trustfile) {
-        if (!load_certs(trustfile, &trusted, FORMAT_PEM, NULL, e,
-                        "trusted certificates"))
-            goto end;
-    }
-
-    if (crlfile) {
-        if (!load_crls(crlfile, &crls, FORMAT_PEM, NULL, e, "other CRLs"))
-            goto end;
-    }
-
     if (crl_download)
         store_setup_crl_download(store);
 
-- 
cgit v1.2.3