Move peer chain security checks into x509_vfy.c

A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level.  For verification of SSL peers, this
is automatically set from the SSL security level.  Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.

The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.

New verify(1) tests added to check enforcement of chain signature
and public key security levels.  Also added new tests of enforcement
of the verify_depth limit.

Updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

1 files changed, 7 insertions, 3 deletions

diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 99e7d2a342..ec2e374038 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -10,6 +10,10 @@
 #
 DAYS=36525
 
+if [ -z "$OPENSSL_SIGALG" ]; then
+    OPENSSL_SIGALG=sha256
+fi
+
 stderr_onerror() {
     (
         err=$("$@" >&3 2>&1) || {
@@ -53,7 +57,7 @@ req() {
     local errs
 
     stderr_onerror \
-        openssl req -new -sha256 -key "${key}.pem" \
+        openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
             -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \
 		      "prompt = no" "distinguished_name = dn" "${cn}")
 }
@@ -63,7 +67,7 @@ req_nocn() {
 
     key "$key"
     stderr_onerror \
-        openssl req -new -sha256 -subj / -key "${key}.pem" \
+        openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \
             -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
 		      "distinguished_name = dn")
 }
@@ -73,7 +77,7 @@ cert() {
     local exts=$1; shift
 
     stderr_onerror \
-        openssl x509 -req -sha256 -out "${cert}.pem" \
+        openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \
             -extfile <(printf "%s\n" "$exts") "$@"
 }