From 9d2006d8ed733522014035ec0514e23a312083e8 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 26 Sep 2012 13:50:42 +0000 Subject: [PATCH] add -trusted_first option and verify flag (backport from HEAD) --- CHANGES | 4 ++++ apps/apps.c | 2 ++ crypto/x509/x509_vfy.c | 16 ++++++++++++++++ crypto/x509/x509_vfy.h | 2 ++ 4 files changed, 24 insertions(+) diff --git a/CHANGES b/CHANGES index f835089fa4..4d71d95af5 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 1.0.1 and 1.0.2 [xx XXX xxxx] + *) Add -trusted_first option which attempts to find certificates in the + trusted store even if an untrusted chain is also supplied. + [Steve Henson] + *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, platform support for Linux and Android. [Andy Polyakov] diff --git a/apps/apps.c b/apps/apps.c index 4e11915b02..d8d8a70acd 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2358,6 +2358,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; + else if (!strcmp(arg, "-trusted_first")) + flags |= X509_V_FLAG_TRUSTED_FIRST; else return 0; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index b0779db023..ba10811f80 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -206,6 +206,22 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If we are self signed, we break */ if (ctx->check_issued(ctx, x,x)) break; + /* If asked see if we can find issuer in trusted store first */ + if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) + { + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) + return ok; + /* If successful for now free up cert so it + * will be picked up again later. + */ + if (ok > 0) + { + X509_free(xtmp); + break; + } + } + /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index fe09b30aaa..d53f3e3869 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +/* Use trusted store first */ +#define X509_V_FLAG_TRUSTED_FIRST 0x8000 #define X509_VP_FLAG_DEFAULT 0x1 -- 2.25.1