diff options
| author | Matt Caswell <matt@openssl.org> | 2015-09-22 17:00:52 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2015-09-25 15:49:59 +0200 |
| commit | 2b6bcb702d237171ec5217956a42c8dce031ea51 (patch) | |
| tree | 28ae33107e186389f048d4e7f0aa9a9a12ed79a2 /apps/verify.c | |
| parent | Document the default CA path functions (diff) | |
| download | openssl-2b6bcb702d237171ec5217956a42c8dce031ea51.tar.xz openssl-2b6bcb702d237171ec5217956a42c8dce031ea51.zip | |
Add support for -no-CApath and -no-CAfile options
For those command line options that take the verification options
-CApath and -CAfile, if those options are absent then the default path or
file is used instead. It is not currently possible to specify *no* path or
file at all. This change adds the options -no-CApath and -no-CAfile to
specify that the default locations should not be used to all relevant
applications.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Diffstat (limited to 'apps/verify.c')
| -rw-r--r-- | apps/verify.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/apps/verify.c b/apps/verify.c index ce0ad249f2..61f8cf7579 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -73,8 +73,8 @@ static int v_verbose = 0, vflags = 0; typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED, OPT_TRUSTED, - OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, + OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, + OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, OPT_V_ENUM, OPT_VERBOSE } OPTION_CHOICE; @@ -87,6 +87,10 @@ OPTIONS verify_options[] = { "Print extra information about the operations being performed."}, {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"}, {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"}, {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"}, {"CRLfile", OPT_CRLFILE, '<', @@ -110,6 +114,7 @@ int verify_main(int argc, char **argv) X509_STORE *store = NULL; X509_VERIFY_PARAM *vpm = NULL; char *prog, *CApath = NULL, *CAfile = NULL; + int noCApath = 0, noCAfile = 0; char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1; OPTION_CHOICE o; @@ -155,6 +160,12 @@ int verify_main(int argc, char **argv) case OPT_CAFILE: CAfile = opt_arg(); break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; case OPT_UNTRUSTED: untfile = opt_arg(); break; @@ -190,7 +201,7 @@ int verify_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - if ((store = setup_verify(CAfile, CApath)) == NULL) + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) goto end; X509_STORE_set_verify_cb(store, cb); |