All the necessary bits are in place to make this possible,
they just never got wired up. With this, for instance, when
you use the 'verify' sub-command to verify a certificate
chain with '-purpose sslserver', error 28 will occur if the
root cert is not trusted for X509_TRUST_SSL_SERVER. This
matches the behaviour of actual SSL client code (e.g.
's_client') more closely.
This is a follow-up to my last couple of mails where I worked
all this stuff out; it turns out it's actually (seemingly)
pretty trivial to go ahead and hook up the appropriate trust
param when -purpose is passed. I tested this in the setup
described in my earlier emails; verify functions as expected
in that case.
---
apps/apps.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/apps/apps.c b/apps/apps.c
index ac709a6..58a1b87 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2383,7 +2383,7 @@ int args_verify(char ***pargs, int *pargc,
ASN1_OBJECT *otmp = NULL;
unsigned long flags = 0;
int i;
- int purpose = 0, depth = -1;
+ int purpose = 0, trust = 0, depth = -1;
char **oldargs = *pargs;
char *arg = **pargs, *argn = (*pargs)[1];
const X509_VERIFY_PARAM *vpm = NULL;
@@ -2424,6 +2424,7 @@ int args_verify(char ***pargs, int *pargc,
{
xptmp = X509_PURPOSE_get0(i);
purpose = X509_PURPOSE_get_id(xptmp);
+ trust = X509_PURPOSE_get_trust(xptmp);
}
}
(*pargs)++;
@@ -2564,6 +2565,9 @@ int args_verify(char ***pargs, int *pargc,
if (purpose)
X509_VERIFY_PARAM_set_purpose(*pm, purpose);
+ if (trust)
+ X509_VERIFY_PARAM_set_trust(*pm, trust);
+
if (depth >= 0)
X509_VERIFY_PARAM_set_depth(*pm, depth);
--
2.2.1
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
