From 9a1f59cd3128ddac73d3e0721ecd55935f53ba8b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 14 Dec 2012 14:30:46 +0000 Subject: [PATCH] New verify flag to return success if we have any certificate in the trusted store instead of the default which is to return an error if we can't build the complete chain. [backport from HEAD] --- apps/apps.c | 2 ++ crypto/x509/x509_vfy.c | 9 +++++++++ crypto/x509/x509_vfy.h | 2 ++ 3 files changed, 13 insertions(+) diff --git a/apps/apps.c b/apps/apps.c index 3316e26a5c..4f12f3a196 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2363,6 +2363,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else if (!strcmp(arg, "-trusted_first")) flags |= X509_V_FLAG_TRUSTED_FIRST; + else if (!strcmp(arg, "-partial_chain")) + flags |= X509_V_FLAG_PARTIAL_CHAIN; else return 0; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index c7aa575920..49c8007967 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -682,6 +682,15 @@ static int check_trust(X509_STORE_CTX *ctx) return X509_TRUST_REJECTED; } } + /* If we accept partial chains and have at least one trusted + * certificate return success. + */ + if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) + { + if (ctx->last_untrusted < sk_X509_num(ctx->chain)) + return X509_TRUST_TRUSTED; + } + /* If no trusted certs in chain at all return untrusted and * allow standard (no issuer cert) etc errors to be indicated. */ diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index d53f3e3869..ee40e7fe82 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -392,6 +392,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* Use trusted store first */ #define X509_V_FLAG_TRUSTED_FIRST 0x8000 +/* Allow partial chains if at least one certificate is in trusted store */ +#define X509_V_FLAG_PARTIAL_CHAIN 0x80000 #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 -- 2.25.1