OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
- OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
+ OPT_CAPATH, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
+ OPT_CONTENT, OPT_PRINT,
OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
{"certfile", OPT_CERTFILE, '<', "Other certificates file"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
+ {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
{"print", OPT_PRINT, '-',
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
- const char *CAfile = NULL, *CApath = NULL;
+ const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
char *certsoutfile = NULL;
- int noCAfile = 0, noCApath = 0;
+ int noCAfile = 0, noCApath = 0, noCAstore = 0;
char *infile = NULL, *outfile = NULL, *rctfile = NULL;
char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL;
char *to = NULL, *from = NULL, *subject = NULL, *prog;
case OPT_CAPATH:
CApath = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
case OPT_IN:
infile = opt_arg();
break;
goto end;
if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
- if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
+ if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore)) == NULL)
goto end;
X509_STORE_set_verify_cb(store, cms_cb);
if (vpmtouched)
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
- OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE,
- OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD,
- OPT_NOOUT, OPT_NAMEOPT, OPT_MD
+ OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
+ OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_VERIFY, OPT_TEXT, OPT_HASH,
+ OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD
} OPTION_CHOICE;
const OPTIONS crl_options[] = {
{"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"},
{"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
{"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
+ {"CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store"},
{"verify", OPT_VERIFY, '-', "Verify CRL signature"},
{"text", OPT_TEXT, '-', "Print out a text format version"},
{"hash", OPT_HASH, '-', "Print hash value"},
EVP_PKEY *pkey;
const EVP_MD *digest = EVP_sha1();
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
- const char *CAfile = NULL, *CApath = NULL, *prog;
+ const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog;
OPTION_CHOICE o;
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
- int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;
+ int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0, noCAstore = 0;
int i;
#ifndef OPENSSL_NO_MD5
int hash_old = 0;
CAfile = opt_arg();
do_ver = 1;
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ do_ver = 1;
+ break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
case OPT_HASH_OLD:
#ifndef OPENSSL_NO_MD5
hash_old = ++num;
goto end;
if (do_ver) {
- if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
+ if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore)) == NULL)
goto end;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
const char *pass, const char *cert_descrip);
int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
const char *pass, const char *cert_descrip);
-X509_STORE *setup_verify(const char *CAfile, const char *CApath,
- int noCAfile, int noCApath);
-__owur int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
- const char *CApath, int noCAfile,
- int noCApath);
+X509_STORE *setup_verify(const char *CAfile, int noCAfile,
+ const char *CApath, int noCApath,
+ const char *CAstore, int noCAstore);
+__owur int ctx_set_verify_locations(SSL_CTX *ctx,
+ const char *CAfile, int noCAfile,
+ const char *CApath, int noCApath,
+ const char *CAstore, int noCAstore);
#ifndef OPENSSL_NO_CT
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
- const char *vfyCAfile, const char *chCApath,
- const char *chCAfile, STACK_OF(X509_CRL) *crls,
+ const char *vfyCAfile, const char *vfyCAstore,
+ const char *chCApath, const char *chCAfile,
+ const char *chCAstore, STACK_OF(X509_CRL) *crls,
int crl_download);
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
}
#endif
-int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
- const char *CApath, int noCAfile, int noCApath)
+int ctx_set_verify_locations(SSL_CTX *ctx,
+ const char *CAfile, int noCAfile,
+ const char *CApath, int noCApath,
+ const char *CAstore, int noCAstore)
{
- if (CAfile == NULL && CApath == NULL) {
+ if (CAfile == NULL && CApath == NULL && CAstore == NULL) {
if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0)
return 0;
if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0)
return 0;
+ if (!noCAstore && SSL_CTX_set_default_verify_store(ctx) <= 0)
+ return 0;
return 1;
}
- return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
+
+ if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
+ return 0;
+ if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
+ return 0;
+ if (CAstore != NULL && !SSL_CTX_load_verify_store(ctx, CAstore))
+ return 0;
+ return 1;
}
#ifndef OPENSSL_NO_CT
BIO_printf(out, "\n};\n");
}
-X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, int noCApath)
+X509_STORE *setup_verify(const char *CAfile, int noCAfile,
+ const char *CApath, int noCApath,
+ const char *CAstore, int noCAstore)
{
X509_STORE *store = X509_STORE_new();
X509_LOOKUP *lookup;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
- if (CAfile) {
+ if (CAfile != NULL) {
if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
BIO_printf(bio_err, "Error loading file %s\n", CAfile);
goto end;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
- if (CApath) {
+ if (CApath != NULL) {
if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
BIO_printf(bio_err, "Error loading directory %s\n", CApath);
goto end;
}
}
+ if (CAstore != NULL || !noCAstore) {
+ lookup = X509_STORE_add_lookup(store, X509_LOOKUP_store());
+ if (lookup == NULL)
+ goto end;
+ if (!X509_LOOKUP_add_store(lookup, CAstore)) {
+ if (CAstore != NULL)
+ BIO_printf(bio_err, "Error loading store URI %s\n", CAstore);
+ goto end;
+ }
+ }
+
ERR_clear_error();
return store;
end:
switch (i) {
case 0: case '-': case '/': case '<': case '>': case 'E': case 'F':
case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's':
- case 'u': case 'c':
+ case 'u': case 'c': case ':':
break;
default:
OPENSSL_assert(0);
switch (o->valtype) {
default:
case 's':
+ case ':':
/* Just a string. */
break;
case '/':
case 0:
case '-':
return "";
+ case ':':
+ return "uri";
case 's':
return "val";
case '/':
int ssl_load_stores(SSL_CTX *ctx,
const char *vfyCApath, const char *vfyCAfile,
+ const char *vfyCAstore,
const char *chCApath, const char *chCAfile,
+ const char *chCAstore,
STACK_OF(X509_CRL) *crls, int crl_download)
{
X509_STORE *vfy = NULL, *ch = NULL;
int rv = 0;
- if (vfyCApath != NULL || vfyCAfile != NULL) {
+ if (vfyCApath != NULL || vfyCAfile != NULL || vfyCAstore != NULL) {
vfy = X509_STORE_new();
if (vfy == NULL)
goto err;
- if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
+ if (vfyCAfile != NULL && !X509_STORE_load_file(vfy, vfyCAfile))
+ goto err;
+ if (vfyCApath != NULL && !X509_STORE_load_path(vfy, vfyCApath))
+ goto err;
+ if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
goto err;
add_crls_store(vfy, crls);
SSL_CTX_set1_verify_cert_store(ctx, vfy);
if (crl_download)
store_setup_crl_download(vfy);
}
- if (chCApath != NULL || chCAfile != NULL) {
+ if (chCApath != NULL || chCAfile != NULL || chCAstore != NULL) {
ch = X509_STORE_new();
if (ch == NULL)
goto err;
- if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
+ if (chCAfile != NULL && !X509_STORE_load_file(ch, chCAfile))
+ goto err;
+ if (chCApath != NULL && !X509_STORE_load_path(ch, chCApath))
+ goto err;
+ if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
goto err;
SSL_CTX_set1_chain_cert_store(ctx, ch);
}
OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
- OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH,
+ OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE,
+ OPT_NOCAPATH, OPT_NOCASTORE,
OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
"Additional certificates to search for signer"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
+ {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates store"},
{"validity_period", OPT_VALIDITY_PERIOD, 'u',
"Maximum validity discrepancy in seconds"},
{"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
X509 *signer = NULL, *rsigner = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
- const char *CAfile = NULL, *CApath = NULL;
+ const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
char *header, *value;
char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
char *signfile = NULL, *keyfile = NULL;
char *thost = NULL, *tport = NULL, *tpath = NULL;
- int noCAfile = 0, noCApath = 0;
+ int noCAfile = 0, noCApath = 0, noCAstore = 0;
int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
int req_text = 0, resp_text = 0, ret = 1;
case OPT_CAPATH:
CApath = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
case OPT_V_CASES:
if (!opt_verify(o, vpm))
goto end;
}
if (store == NULL) {
- store = setup_verify(CAfile, CApath, noCAfile, noCApath);
+ store = setup_verify(CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore);
if (!store)
goto end;
}
OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME,
OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
- OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_ENGINE,
+ OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
OPT_R_ENUM
} OPTION_CHOICE;
{"password", OPT_PASSWORD, 's', "Set import/export password source"},
{"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"},
+ {"CAstore", OPT_CASTORE, ':', "URI to store if CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
# ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
char *passin = NULL, *passout = NULL, *macalg = NULL;
char *cpass = NULL, *mpass = NULL, *badpass = NULL;
- const char *CApath = NULL, *CAfile = NULL, *prog;
- int noCApath = 0, noCAfile = 0;
+ const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL, *prog;
+ int noCApath = 0, noCAfile = 0, noCAstore = 0;
ENGINE *e = NULL;
BIO *in = NULL, *out = NULL;
PKCS12 *p12 = NULL;
case OPT_CAPATH:
CApath = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
int vret;
STACK_OF(X509) *chain2;
X509_STORE *store;
- if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath))
+ if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore))
== NULL)
goto export_end;
OPT_SSL3, OPT_SSL_CONFIG,
OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
- OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
- OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE,
- OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
+ OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN,
+ OPT_NEXTPROTONEG, OPT_ALPN,
+ OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
+ OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE,
+ OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME, OPT_ASYNC,
OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_PROTOHOST,
OPT_MAXFRAGLEN, OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES,
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
+ {"CAstore", OPT_CAFILE, ':', "URI to store of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates store"},
{"requestCAfile", OPT_REQCAFILE, '<',
"PEM format file of CA names to send to the server"},
{"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"},
"CA file for certificate chain (PEM format)"},
{"verifyCAfile", OPT_VERIFYCAFILE, '<',
"CA file for certificate verification (PEM format)"},
+ {"chainCAstore", OPT_CHAINCASTORE, ':',
+ "CA store URI for certificate chain"},
+ {"verifyCAstore", OPT_VERIFYCASTORE, ':',
+ "CA store URI for certificate verification"},
{"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
{"servername", OPT_SERVERNAME, 's',
"Set TLS extension servername (SNI) in ClientHello (default)"},
int dane_ee_no_name = 0;
STACK_OF(X509_CRL) *crls = NULL;
const SSL_METHOD *meth = TLS_client_method();
- const char *CApath = NULL, *CAfile = NULL;
+ const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL;
char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL;
char *proxystr = NULL, *proxyuser = NULL;
char *proxypassarg = NULL, *proxypass = NULL;
char *connectstr = NULL, *bindstr = NULL;
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
- char *chCApath = NULL, *chCAfile = NULL, *host = NULL;
+ char *chCApath = NULL, *chCAfile = NULL, *chCAstore = NULL, *host = NULL;
char *port = OPENSSL_strdup(PORT);
char *bindhost = NULL, *bindport = NULL;
- char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
+ char *passarg = NULL, *pass = NULL;
+ char *vfyCApath = NULL, *vfyCAfile = NULL, *vfyCAstore = NULL;
char *ReqCAfile = NULL;
char *sess_in = NULL, *crl_file = NULL, *p;
const char *protohost = NULL;
struct timeval timeout, *timeoutp;
fd_set readfds, writefds;
- int noCApath = 0, noCAfile = 0;
+ int noCApath = 0, noCAfile = 0, noCAstore = 0;
int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM;
int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0;
int prexit = 0;
case OPT_VERIFYCAFILE:
vfyCAfile = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
+ case OPT_CHAINCASTORE:
+ chCAstore = opt_arg();
+ break;
+ case OPT_VERIFYCASTORE:
+ vfyCAstore = opt_arg();
+ break;
case OPT_DANE_TLSA_DOMAIN:
dane_tlsa_domain = opt_arg();
break;
goto end;
}
- if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
+ if (!ssl_load_stores(ctx,
+ vfyCApath, vfyCAfile, vfyCAstore,
+ chCApath, chCAfile, chCAstore,
crls, crl_download)) {
BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err);
SSL_CTX_set_verify(ctx, verify, verify_callback);
- if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
+ if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore)) {
ERR_print_errors(bio_err);
goto end;
}
OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE,
- OPT_VERIFYCAFILE, OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
+ OPT_VERIFYCAFILE,
+ OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
+ OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,
{"state", OPT_STATE, '-', "Print the SSL states"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
+ {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store URI"},
{"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
{"quiet", OPT_QUIET, '-', "No server output"},
{"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
"second certificate chain file in PEM format"},
{"chainCApath", OPT_CHAINCAPATH, '/',
"use dir as certificate store path to build CA certificate chain"},
+ {"chainCAstore", OPT_CHAINCASTORE, ':',
+ "use URI as certificate store to build CA certificate chain"},
{"verifyCApath", OPT_VERIFYCAPATH, '/',
"use dir as certificate store path to verify CA certificate"},
+ {"verifyCAstore", OPT_VERIFYCASTORE, ':',
+ "use URI as certificate store to verify CA certificate"},
{"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
{"ext_cache", OPT_EXT_CACHE, '-',
"Disable internal cache, setup and use external cache"},
STACK_OF(X509_CRL) *crls = NULL;
X509 *s_cert = NULL, *s_dcert = NULL;
X509_VERIFY_PARAM *vpm = NULL;
- const char *CApath = NULL, *CAfile = NULL, *chCApath = NULL, *chCAfile = NULL;
+ const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL;
+ const char *chCApath = NULL, *chCAfile = NULL, *chCAstore = NULL;
char *dpassarg = NULL, *dpass = NULL;
- char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
+ char *passarg = NULL, *pass = NULL;
+ char *vfyCApath = NULL, *vfyCAfile = NULL, *vfyCAstore = NULL;
char *crl_file = NULL, *prog;
#ifdef AF_UNIX
int unlink_unix_path = 0;
int no_dhe = 0;
#endif
int nocert = 0, ret = 1;
- int noCApath = 0, noCAfile = 0;
+ int noCApath = 0, noCAfile = 0, noCAstore = 0;
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
int rev = 0, naccept = -1, sdebug = 0;
case OPT_VERIFYCAPATH:
vfyCApath = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
+ case OPT_CHAINCASTORE:
+ chCAstore = opt_arg();
+ break;
+ case OPT_VERIFYCASTORE:
+ vfyCAstore = opt_arg();
+ break;
case OPT_NO_CACHE:
no_cache = 1;
break;
}
#endif
- if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
+ if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore)) {
ERR_print_errors(bio_err);
goto end;
}
ssl_ctx_add_crls(ctx, crls, 0);
- if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
+ if (!ssl_load_stores(ctx,
+ vfyCApath, vfyCAfile, vfyCAstore,
+ chCApath, chCAfile, chCAstore,
crls, crl_download)) {
BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err);
if (async)
SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC);
- if (!ctx_set_verify_locations(ctx2, CAfile, CApath, noCAfile,
- noCApath)) {
+ if (!ctx_set_verify_locations(ctx2, CAfile, noCAfile, CApath,
+ noCApath, CAstore, noCAstore)) {
ERR_print_errors(bio_err);
goto end;
}
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_CONNECT, OPT_CIPHER, OPT_CIPHERSUITES, OPT_CERT, OPT_NAMEOPT, OPT_KEY,
- OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NEW, OPT_REUSE,
- OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3,
+ OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
+ OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
+ OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3,
OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3
} OPTION_CHOICE;
{"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
{"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
- {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
+ {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
+ {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store URI"},
{"new", OPT_NEW, '-', "Just time new connections"},
{"reuse", OPT_REUSE, '-', "Just time connection reuse"},
{"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
SSL *scon = NULL;
SSL_CTX *ctx = NULL;
const SSL_METHOD *meth = NULL;
- char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *ciphersuites = NULL;
+ char *CApath = NULL, *CAfile = NULL, *CAstore = NULL;
+ char *cipher = NULL, *ciphersuites = NULL;
char *www_path = NULL;
char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog;
double totalTime = 0.0;
- int noCApath = 0, noCAfile = 0;
+ int noCApath = 0, noCAfile = 0, noCAstore = 0;
int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs = 0;
long bytes_read = 0, finishtime = 0;
OPTION_CHOICE o;
case OPT_NOCAFILE:
noCAfile = 1;
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
case OPT_CIPHER:
cipher = opt_arg();
break;
if (!set_cert_stuff(ctx, certfile, keyfile))
goto end;
- if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
+ if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore)) {
ERR_print_errors(bio_err);
goto end;
}
OPT_CRLFEOL, OPT_ENGINE, OPT_PASSIN,
OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD,
OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE,
+ OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, OPT_NOCAPATH, OPT_NOCASTORE,
OPT_R_ENUM,
OPT_V_ENUM,
- OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, OPT_IN, OPT_INFORM, OPT_OUT,
+ OPT_IN, OPT_INFORM, OPT_OUT,
OPT_OUTFORM, OPT_CONTENT
} OPTION_CHOICE;
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
{"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+ {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store"},
{"resign", OPT_RESIGN, '-', "Resign a signed message"},
{"nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
X509_VERIFY_PARAM *vpm = NULL;
const EVP_CIPHER *cipher = NULL;
const EVP_MD *sign_md = NULL;
- const char *CAfile = NULL, *CApath = NULL, *prog = NULL;
+ const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = NULL;
char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL, *subject = NULL;
OPTION_CHOICE o;
- int noCApath = 0, noCAfile = 0;
+ int noCApath = 0, noCAfile = 0, noCAstore = 0;
int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
FORMAT_PEM;
case OPT_CAPATH:
CApath = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
case OPT_CONTENT:
contfile = opt_arg();
break;
goto end;
if (operation == SMIME_VERIFY) {
- if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
+ if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore)) == NULL)
goto end;
X509_STORE_set_verify_cb(store, smime_cb);
if (vpmtouched)
/* Verify related functions. */
static int verify_command(const char *data, const char *digest, const char *queryfile,
const char *in, int token_in,
- const char *CApath, const char *CAfile, const char *untrusted,
- X509_VERIFY_PARAM *vpm);
+ const char *CApath, const char *CAfile,
+ const char *CAstore,
+ const char *untrusted, X509_VERIFY_PARAM *vpm);
static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
const char *queryfile,
const char *CApath, const char *CAfile,
+ const char *CAstore,
const char *untrusted,
X509_VERIFY_PARAM *vpm);
static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
- X509_VERIFY_PARAM *vpm);
+ const char *CAstore, X509_VERIFY_PARAM *vpm);
static int verify_cb(int ok, X509_STORE_CTX *ctx);
typedef enum OPTION_choice {
OPT_DIGEST, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT,
OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
- OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED,
+ OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_UNTRUSTED,
OPT_MD, OPT_V_ENUM, OPT_R_ENUM
} OPTION_CHOICE;
{"verify", OPT_VERIFY, '-', "Verify a TS response"},
{"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
{"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
+ {"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"},
{"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
{"", OPT_MD, '-', "Any supported digest"},
# ifndef OPENSSL_NO_ENGINE
" [-text]",
# endif
" or",
- "ts -verify -CApath dir -CAfile file.pem -untrusted file.pem",
+ "ts -verify -CApath dir -CAfile file.pem -CAstore uri -untrusted file.pem",
" [-data file] [-digest hexstring]",
" [-queryfile file] -in file [-token_in]",
" [[options specific to 'ts -verify']]",
char *data = NULL, *digest = NULL, *policy = NULL;
char *in = NULL, *out = NULL, *queryfile = NULL, *passin = NULL;
char *inkey = NULL, *signer = NULL, *chain = NULL, *CApath = NULL;
+ char *CAstore = NULL;
const EVP_MD *md = NULL;
OPTION_CHOICE o, mode = OPT_ERR;
int ret = 1, no_nonce = 0, cert = 0, text = 0;
case OPT_CAFILE:
CAfile = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
case OPT_UNTRUSTED:
untrusted = opt_arg();
break;
if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
goto opthelp;
ret = !verify_command(data, digest, queryfile, in, token_in,
- CApath, CAfile, untrusted,
+ CApath, CAfile, CAstore, untrusted,
vpmtouched ? vpm : NULL);
} else {
goto opthelp;
static int verify_command(const char *data, const char *digest, const char *queryfile,
const char *in, int token_in,
- const char *CApath, const char *CAfile, const char *untrusted,
+ const char *CApath, const char *CAfile,
+ const char *CAstore, const char *untrusted,
X509_VERIFY_PARAM *vpm)
{
BIO *in_bio = NULL;
}
if ((verify_ctx = create_verify_ctx(data, digest, queryfile,
- CApath, CAfile, untrusted,
+ CApath, CAfile, CAstore, untrusted,
vpm)) == NULL)
goto end;
static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
const char *queryfile,
const char *CApath, const char *CAfile,
+ const char *CAstore,
const char *untrusted,
X509_VERIFY_PARAM *vpm)
{
TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
/* Initialising the X509_STORE object. */
- if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile, vpm))
+ if (TS_VERIFY_CTX_set_store(ctx,
+ create_cert_store(CApath, CAfile, CAstore, vpm))
== NULL)
goto err;
}
static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
- X509_VERIFY_PARAM *vpm)
+ const char *CAstore, X509_VERIFY_PARAM *vpm)
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
- int i;
cert_ctx = X509_STORE_new();
X509_STORE_set_verify_cb(cert_ctx, verify_cb);
BIO_printf(bio_err, "memory allocation failure\n");
goto err;
}
- i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
- if (!i) {
+ if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
BIO_printf(bio_err, "Error loading directory %s\n", CApath);
goto err;
}
BIO_printf(bio_err, "memory allocation failure\n");
goto err;
}
- i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM);
- if (!i) {
+ if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
BIO_printf(bio_err, "Error loading file %s\n", CAfile);
goto err;
}
}
+ if (CAstore != NULL) {
+ lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_store());
+ if (lookup == NULL) {
+ BIO_printf(bio_err, "memory allocation failure\n");
+ goto err;
+ }
+ if (!X509_LOOKUP_load_store(lookup, CAstore)) {
+ BIO_printf(bio_err, "Error loading store URI %s\n", CAstore);
+ goto err;
+ }
+ }
+
if (vpm != NULL)
X509_STORE_set1_param(cert_ctx, vpm);
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE,
+ OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
+ OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
OPT_V_ENUM, OPT_NAMEOPT,
OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID
"Print extra information about the operations being performed."},
{"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"},
{"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},
+ {"CAstore", OPT_CASTORE, ':', "URI to a store of trusted certificates"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates store"},
{"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"},
{"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},
{"CRLfile", OPT_CRLFILE, '<',
STACK_OF(X509_CRL) *crls = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
- const char *prog, *CApath = NULL, *CAfile = NULL;
- int noCApath = 0, noCAfile = 0;
+ const char *prog, *CApath = NULL, *CAfile = NULL, *CAstore = NULL;
+ int noCApath = 0, noCAfile = 0, noCAstore = 0;
int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
OPTION_CHOICE o;
unsigned char *sm2_id = NULL;
case OPT_CAFILE:
CAfile = opt_arg();
break;
+ case OPT_CASTORE:
+ CAstore = opt_arg();
+ break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
+ case OPT_NOCASTORE:
+ noCAstore = 1;
+ break;
case OPT_UNTRUSTED:
/* Zero or more times */
if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL,
/* Zero or more times */
noCAfile = 1;
noCApath = 1;
+ noCAstore = 1;
if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL,
"trusted certificates"))
goto end;
}
argc = opt_num_rest();
argv = opt_rest();
- if (trusted != NULL && (CAfile || CApath)) {
+ if (trusted != NULL
+ && (CAfile != NULL || CApath != NULL || CAstore != NULL)) {
BIO_printf(bio_err,
- "%s: Cannot use -trusted with -CAfile or -CApath\n",
+ "%s: Cannot use -trusted with -CAfile, -CApath or -CAstore\n",
prog);
goto end;
}
- if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
+ if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
+ CAstore, noCAstore)) == NULL)
goto end;
X509_STORE_set_verify_cb(store, cb);
No revocation checking is done on the signer's certificate.
+=head1 SEE ALSO
+
+L<ossl_store-file(7)>
+
=head1 HISTORY
The use of multiple B<-signer> options and the B<-resign> command were first
L<openssl(1)>,
L<openssl-crl2pkcs7(1)>,
L<openssl-ca(1)>,
-L<openssl-x509(1)>
+L<openssl-x509(1)>,
+L<ossl_store-file(7)>
=head1 COPYRIGHT
Then a normal certificate verify is performed on the OCSP responder certificate
building up a certificate chain in the process. The locations of the trusted
-certificates used to build the chain can be specified by the B<-CAfile>
-and B<-CApath> options or they will be looked for in the standard OpenSSL
-certificates directory.
+certificates used to build the chain can be specified by the B<-CAfile>,
+B<-CApath> or B<-CAstore> options or they will be looked for in the
+standard OpenSSL certificates directory.
If the initial verify fails then the OCSP verify process halts with an
error.
=head1 NOTES
As noted, most of the verify options are for testing or debugging purposes.
-Normally only the B<-CApath>, B<-CAfile> and (if the responder is a 'global
-VA') B<-VAfile> options need to be used.
+Normally only the B<-CApath>, B<-CAfile>, B<-CAstore> and (if the responder
+is a 'global VA') B<-VAfile> options need to be used.
The OCSP server is only useful for test and demonstration purposes: it is
not really usable as a full OCSP responder. It contains only a very
=head1 SEE ALSO
L<openssl(1)>,
-L<openssl-pkcs8(1)>
+L<openssl-pkcs8(1)>,
+L<ossl_store-file(7)>
=head1 COPYRIGHT
[B<-pass> I<arg>]
[B<-chainCApath> I<directory>]
[B<-chainCAfile> I<filename>]
+[B<-chainCAstore> I<uri>]
[B<-requestCAfile> I<filename>]
[B<-dane_tlsa_domain> I<domain>]
[B<-dane_tlsa_rrdata> I<rrdata>]
A file containing trusted certificates to use when attempting to build the
client certificate chain.
+=item B<-chainCAstore> I<uri>
+
+The URI to use when attempting to build the client certificate chain.
+
=item B<-requestCAfile> I<file>
A file containing a list of certificates whose subject names will be sent
L<SSL_CONF_cmd(3)>,
L<SSL_CTX_set_max_send_fragment(3)>,
L<SSL_CTX_set_split_send_fragment(3)>,
-L<SSL_CTX_set_max_pipelines(3)>
+L<SSL_CTX_set_max_pipelines(3)>,
+L<ossl_store-file(7)>
=head1 HISTORY
[B<-dcert_chain> I<infile>]
[B<-chainCApath> I<dir>]
[B<-verifyCApath> I<dir>]
+[B<-chainCAstore> I<uri>]
+[B<-verifyCAstore> I<uri>]
[B<-no_cache>]
[B<-ext_cache>]
[B<-verify_return_error>]
A file containing trusted certificates to use when attempting to build the
server certificate chain.
+=item B<-chainCAstore> I<uri>
+
+The URI to a store to use for building the chain provided to the client.
+The URI may indicate a single certificate, as well as a collection of
+them.
+With URIs in the C<file:> scheme, this acts as B<-chainCAfile> or
+B<-chainCApath>, depending on if the URI indicates a directory or a
+single file.
+See L<ossl_store-file(7)> for more information on the C<file:> scheme.
+
=item B<-nocert>
If this option is set then no certificate is used. This restricts the
L<SSL_CONF_cmd(3)>,
L<SSL_CTX_set_max_send_fragment(3)>,
L<SSL_CTX_set_split_send_fragment(3)>,
-L<SSL_CTX_set_max_pipelines(3)>
+L<SSL_CTX_set_max_pipelines(3)>,
+L<ossl_store-file(7)>
=head1 HISTORY
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<openssl-x509(1)> manual page for details.
-=item B<-CApath> I<directory>
-
-The directory to use for server certificate verification. This directory
-must be in "hash format", see L<openssl-verify(1)> for more information.
-These are also used when building the client certificate chain.
-
=item B<-new>
Performs the timing test using a new session ID for each connection.
L<openssl(1)>,
L<openssl-s_client(1)>,
L<openssl-s_server(1)>,
-L<openssl-ciphers(1)>
+L<openssl-ciphers(1)>,
+L<ossl_store-file(7)>
=head1 COPYRIGHT
The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
structures may cause parsing errors.
+=head1 SEE ALSO
+
+L<ossl_store-file(7)>
+
=head1 HISTORY
The use of multiple B<-signer> options and the B<-resign> command were first
[B<-token_in>]
[B<-CApath> I<trusted_cert_path>]
[B<-CAfile> I<trusted_certs.pem>]
+[B<-CAstore> I<trusted_certs_uri>]
[B<-untrusted> I<cert_file.pem>]
[I<verify options>]
that the input is a DER encoded timestamp token (ContentInfo) instead
of a timestamp response (TimeStampResp). (Optional)
-=item B<-CAfile> I<file>, B<-CApath> I<dir>
+=item B<-CAfile> I<file>, B<-CApath> I<dir>, B<-CAstore> I<uri>
See L<openssl(1)/Trusted Certificate Options> for more information.
+At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified.
+
=item B<-untrusted> I<cert_file.pem>
Set of additional untrusted certificates in PEM format which may be
L<openssl-x509(1)>,
L<openssl-ca(1)>,
L<openssl-genrsa(1)>,
-L<config(5)>
+L<config(5)>,
+L<ossl_store-file(7)>
=head1 COPYRIGHT
=item B<-trusted_first>
When constructing the certificate chain, use the trusted certificates specified
-via B<-CAfile>, B<-CApath> or B<-trusted> before any certificates specified via
-B<-untrusted>.
+via B<-CAfile>, B<-CApath>, B<-CAstore> or B<-trusted> before any certificates
+specified via B<-untrusted>.
This can be useful in environments with Bridge or Cross-Certified CAs.
As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
That is, the only trust-anchors are those listed in I<file>.
This option can be specified more than once to include trusted certificates
from multiple I<file>s.
-This option implies the B<-no-CAfile> and B<-no-CApath> options.
-This option cannot be used in combination with either of the B<-CAfile> or
-B<-CApath> options.
+This option implies the B<-no-CAfile>, B<-no-CApath> and B<-no-CAstore> options.
+This option cannot be used in combination with any of the B<-CAfile>,
+B<-CApath> or B<-CAstore> options.
=item B<-use_deltas>
technique they still suffer from limitations in the underlying X509_LOOKUP
API. One consequence of this is that trusted certificates with matching
subject name must either appear in a file (as specified by the B<-CAfile>
-option) or a directory (as specified by B<-CApath>). If they occur in
-both then only the certificates in the file will be recognised.
+option), a directory (as specified by B<-CApath>), or a store (as specified
+by B<-CAstore>). If they occur in more than one location then only the
+certificates in the file will be recognised.
Previous versions of OpenSSL assume certificates with matching subject
name are identical and mishandled them.
=head1 SEE ALSO
L<openssl(1)>,
-L<openssl-x509(1)>
+L<openssl-x509(1)>,
+L<ossl_store-file(7)>
=head1 HISTORY
Do not use the default directory of trusted certificates.
+=item B<-CAstore> I<uri>
+
+Use I<uri> as a store of trusted CA certificates. The URI may
+indicate a single certificate, as well as a collection of them.
+With URIs in the C<file:> scheme, this acts as B<-CAfile> or
+B<-CApath>, depending on if the URI indicates a single file or
+directory.
+See L<ossl_store-file(7)> for more information on the C<file:> scheme.
+
+These certificates are also used when building the server certificate
+chain (for example with L<openssl-s_server(1)>) or client certificate
+chain (for example with L<openssl-s_time(1)>).
+
+=item B<-no-CAstore>
+
+Do not use the default store.
+
=back
=head2 Random State Options
. "[B<-CAfile> I<file>]\n"
. "[B<-no-CAfile>]\n"
. "[B<-CApath> I<dir>]\n"
-. "[B<-no-CApath>]";
+. "[B<-no-CApath>]\n"
+. "[B<-CAstore> I<uri>]\n"
+. "[B<-no-CAstore>]";
$OpenSSL::safe::opt_trust_item = ""
-. "=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>\n"
+. "=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>,\n"
+. "B<-CAstore> I<uri>, B<-no-CAstore>\n"
. "\n"
. "See L<openssl(1)/Trusted Certificate Options> for details.";
projects / oweals / openssl.git / commitdiff