Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
+ *) Add -trusted_first option which attempts to find certificates in the
+ trusted store even if an untrusted chain is also supplied.
+ [Steve Henson]
+
*) Initial experimental support for explicitly trusted non-root CAs.
OpenSSL still tries to build a complete chain to a root but if an
intermediate CA has a trust setting included that is used. The first
flags |= X509_V_FLAG_NOTIFY_POLICY;
else if (!strcmp(arg, "-check_ss_sig"))
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+ else if (!strcmp(arg, "-trusted_first"))
+ flags |= X509_V_FLAG_TRUSTED_FIRST;
else
return 0;
/* If we are self signed, we break */
if (cert_self_signed(x))
break;
+ /* If asked see if we can find issuer in trusted store first */
+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+ {
+ ok = ctx->get_issuer(&xtmp, ctx, x);
+ if (ok < 0)
+ return ok;
+ /* If successful for now free up cert so it
+ * will be picked up again later.
+ */
+ if (ok > 0)
+ {
+ X509_free(xtmp);
+ break;
+ }
+ }
/* If we were passed a cert chain, use it first */
if (ctx->untrusted != NULL)
#define X509_V_FLAG_USE_DELTAS 0x2000
/* Check selfsigned CA signature */
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
+/* Use trusted store first */
+#define X509_V_FLAG_TRUSTED_FIRST 0x8000
#define X509_VP_FLAG_DEFAULT 0x1
projects / oweals / openssl.git / commitdiff