Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
+ *) Initial experimental support for explicitly trusted non-root CAs.
+ OpenSSL still tries to build a complete chain to a root but if an
+ intermediate CA has a trust setting included that is used. The first
+ setting is used: whether to trust or reject.
+ [Steve Henson]
+
+ *) New -verify_name option in command line utilities to set verification
+ parameters by name.
+ [Steve Henson]
+
*) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
Add CMAC pkey methods.
[Steve Henson]
X509_TRUST *pt;
int idx;
if(id == -1) return 1;
+ /* We get this as a default value */
+ if (id == 0)
+ {
+ int rv;
+ rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
+ if (rv != X509_TRUST_UNTRUSTED)
+ return rv;
+ return trust_compat(NULL, x, 0);
+ }
idx = X509_TRUST_get_by_id(id);
if(idx == -1) return default_trust(id, x, flags);
pt = X509_TRUST_get0(idx);
/* we now have our chain, lets check it... */
xn=X509_get_issuer_name(x);
- /* Is last certificate looked up self signed? */
- if (!ctx->check_issued(ctx,x,x))
+ i = check_trust(ctx);
+
+ /* If explicitly rejected error */
+ if (i == X509_TRUST_REJECTED)
+ goto end;
+ /* If not explicitly trusted then indicate error */
+ if (i != X509_TRUST_TRUSTED)
{
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
{
if (!ok) goto end;
- /* The chain extensions are OK: check trust */
-
- if (param->trust > 0) ok = check_trust(ctx);
-
- if (!ok) goto end;
-
/* We may as well copy down any DSA parameters that are required */
X509_get_pubkey_parameters(NULL,ctx->chain);
static int check_trust(X509_STORE_CTX *ctx)
{
-#ifdef OPENSSL_NO_CHAIN_VERIFY
- return 1;
-#else
int i, ok;
- X509 *x;
+ X509 *x = NULL;
int (*cb)(int xok,X509_STORE_CTX *xctx);
cb=ctx->verify_cb;
-/* For now just check the last certificate in the chain */
- i = sk_X509_num(ctx->chain) - 1;
- x = sk_X509_value(ctx->chain, i);
- ok = X509_check_trust(x, ctx->param->trust, 0);
- if (ok == X509_TRUST_TRUSTED)
- return 1;
- ctx->error_depth = i;
- ctx->current_cert = x;
- if (ok == X509_TRUST_REJECTED)
- ctx->error = X509_V_ERR_CERT_REJECTED;
- else
- ctx->error = X509_V_ERR_CERT_UNTRUSTED;
- ok = cb(0, ctx);
- return ok;
-#endif
+ /* Check all trusted certificates in chain */
+ for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++)
+ {
+ x = sk_X509_value(ctx->chain, i);
+ ok = X509_check_trust(x, ctx->param->trust, 0);
+ /* If explicitly trusted return trusted */
+ if (ok == X509_TRUST_TRUSTED)
+ return X509_TRUST_TRUSTED;
+ /* If explicitly rejected notify callback and reject if
+ * not overridden.
+ */
+ if (ok == X509_TRUST_REJECTED)
+ {
+ ctx->error_depth = i;
+ ctx->current_cert = x;
+ ctx->error = X509_V_ERR_CERT_REJECTED;
+ ok = cb(0, ctx);
+ if (!ok)
+ return X509_TRUST_REJECTED;
+ }
+ }
+ /* If no trusted certs in chain at all return untrusted and
+ * allow standard (no issuer cert) etc errors to be indicated.
+ */
+ return X509_TRUST_UNTRUSTED;
}
static int check_revocation(X509_STORE_CTX *ctx)