add -trusted_first option and verify flag (backport from HEAD)

diff --git a/CHANGES b/CHANGES
index f835089fa47104f0a59d3e68fe575129eb6f955e..4d71d95af511fe9e51b8e2171424b7947187e5a8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
 
+  *) Add -trusted_first option which attempts to find certificates in the
+     trusted store even if an untrusted chain is also supplied.
+     [Steve Henson]
+
   *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
      platform support for Linux and Android.
      [Andy Polyakov]

diff --git a/apps/apps.c b/apps/apps.c
index 4e11915b025580d88af75bc43524044d10add26e..d8d8a70acdc7554cecfdcbfe6ef2fd799fc124d9 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2358,6 +2358,8 @@ int args_verify(char ***pargs, int *pargc,
                flags |= X509_V_FLAG_NOTIFY_POLICY;
        else if (!strcmp(arg, "-check_ss_sig"))
                flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+       else if (!strcmp(arg, "-trusted_first"))
+               flags |= X509_V_FLAG_TRUSTED_FIRST;
        else
                return 0;
 

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b0779db0231b314d8fcfe009d6e2cbb985585da9..ba10811f80bf46b842fc4710a8f9be0e85f696ac 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -206,6 +206,22 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                /* If we are self signed, we break */
                if (ctx->check_issued(ctx, x,x)) break;
 
+               /* If asked see if we can find issuer in trusted store first */
+               if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+                       {
+                       ok = ctx->get_issuer(&xtmp, ctx, x);
+                       if (ok < 0)
+                               return ok;
+                       /* If successful for now free up cert so it
+                        * will be picked up again later.
+                        */
+                       if (ok > 0)
+                               {
+                               X509_free(xtmp);
+                               break;
+                               }
+                       }
+
                /* If we were passed a cert chain, use it first */
                if (ctx->untrusted != NULL)
                        {

diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index fe09b30aaa62dff07d2735de0ae4596a7974a530..d53f3e386950311775b45731464b6374a2e08550 100644 (file)
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_USE_DELTAS                 0x2000
 /* Check selfsigned CA signature */
 #define X509_V_FLAG_CHECK_SS_SIGNATURE         0x4000
+/* Use trusted store first */
+#define X509_V_FLAG_TRUSTED_FIRST              0x8000
 
 
 #define X509_VP_FLAG_DEFAULT                   0x1