Add -no_alt_chains option to apps to implement the new

X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

diff --git a/apps/apps.c b/apps/apps.c
index bf044d40f85ae2456f7d4ffe60217424eb637e54..8412e24687fa371bc8235d2d6705ff6570471dde 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2362,6 +2362,8 @@ int args_verify(char ***pargs, int *pargc,
         flags |= X509_V_FLAG_SUITEB_192_LOS;
     else if (!strcmp(arg, "-partial_chain"))
         flags |= X509_V_FLAG_PARTIAL_CHAIN;
+    else if (!strcmp(arg, "-no_alt_chains"))
+        flags |= X509_V_FLAG_NO_ALT_CHAINS;
     else
         return 0;
 

diff --git a/apps/cms.c b/apps/cms.c
index fbb5607398f2de171aeb9f8f17689f9f8e292acb..479d1dddf25774c690867f712e18a8d115e58e00 100644 (file)
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -645,6 +645,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
         BIO_printf(bio_err,
                    "-trusted_first use locally trusted certificates first when building trust chain\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 4b9d6f6b330d3c63736a78f68a7fa9f82c29a674..b0b30696765a8ddf26ac8e0563d5e2aa8ac8aea1 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv)
                    "-CAfile file         trusted certificates file\n");
         BIO_printf(bio_err,
                    "-trusted_first       use locally trusted CA's first when building trust chain\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains       only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-VAfile file         validator certificates file\n");
         BIO_printf(bio_err,

diff --git a/apps/s_client.c b/apps/s_client.c
index 1607c6e4388fb91d03866751b2af77f592011756..bc82239f1bef281ea104a303d422443d69ce47d2 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -320,6 +320,8 @@ static void sc_usage(void)
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
     BIO_printf(bio_err,
                " -trusted_first - Use local CA's first when building trust chain\n");
+    BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
     BIO_printf(bio_err,
                " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
     BIO_printf(bio_err,

diff --git a/apps/s_server.c b/apps/s_server.c
index 573bc873bf8ab99c208a2965827eef9abd90c727..4311d6d6fba98e83c3ceaad33b75622560b441bb 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -508,6 +508,8 @@ static void sv_usage(void)
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
     BIO_printf(bio_err,
                " -trusted_first - Use locally trusted CA's first when building trust chain\n");
+    BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
     BIO_printf(bio_err,
                " -nocert       - Don't use any certificates (Anon-DH)\n");
     BIO_printf(bio_err,

diff --git a/apps/smime.c b/apps/smime.c
index 5efe51f7d7ce91d69b658fdc934bfec9a374a84d..930978fd9b11ffcfab4d884b922e20b40d98e8b4 100644 (file)
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -443,6 +443,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
         BIO_printf(bio_err,
                    "-trusted_first use locally trusted CA's first when building trust chain\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,

diff --git a/apps/verify.c b/apps/verify.c
index 8f963f86c2e117e2c65957d6f9db143bc0e52aea..e771be22d2d9d64ef65d32e6b1f2f64a5e03dab4 100644 (file)
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -236,7 +236,7 @@ int MAIN(int argc, char **argv)
  end:
     if (ret == 1) {
         BIO_printf(bio_err,
-                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check] [-no_alt_chains]");
 #ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err, " [-engine e]");
 #endif