Experimental support for partial chain verification: if an intermediate

certificate is explicitly trusted (using -addtrust option to x509 utility for example) the verification is sucessful even if the chain is not complete.
author: Dr. Stephen Henson <steve@openssl.org> 2010-02-25 01:17:22 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2010-02-25 01:17:22 +0100
commit: fbd2164044f92383955a801ad1b2857d71e83f27 (patch)
tree: dfd027788b737a91b8103a1b5ae751e695c5d014 /crypto/x509/x509_trs.c
parent: allow setting of verify names in command line utilities and print out verify ... (diff)
download: openssl-fbd2164044f92383955a801ad1b2857d71e83f27.tar.xz
openssl-fbd2164044f92383955a801ad1b2857d71e83f27.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index a6cb9c8b1b..3d7e06815c 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -114,6 +114,15 @@ int X509_check_trust(X509 *x, int id, int flags)
 	X509_TRUST *pt;
 	int idx;
 	if(id == -1) return 1;
+	/* We get this as a default value */
+	if (id == 0)
+		{
+		int rv;
+		rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
+		if (rv != X509_TRUST_UNTRUSTED)
+			return rv;
+		return trust_compat(NULL, x, 0);
+		}
 	idx = X509_TRUST_get_by_id(id);
 	if(idx == -1) return default_trust(id, x, flags);
 	pt = X509_TRUST_get0(idx);
author	Dr. Stephen Henson <steve@openssl.org>	2010-02-25 01:17:22 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2010-02-25 01:17:22 +0100
commit	fbd2164044f92383955a801ad1b2857d71e83f27 (patch)
tree	dfd027788b737a91b8103a1b5ae751e695c5d014 /crypto/x509/x509_trs.c
parent	allow setting of verify names in command line utilities and print out verify ... (diff)
download	openssl-fbd2164044f92383955a801ad1b2857d71e83f27.tar.xz openssl-fbd2164044f92383955a801ad1b2857d71e83f27.zip