By default X509_check_trust() trusts self-signed certificates from
the trust store that have no explicit local trust/reject oids
encapsulated as a "TRUSTED CERTIFICATE" object. (See the -addtrust
and -trustout options of x509(1)).
This commit adds a flag that makes it possible to distinguish between
that implicit trust, and explicit auxiliary settings.
With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted
via explicit trust settings.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
{
/* Call for side-effect of computing hash and caching extensions */
X509_check_purpose(x, -1, 0);
- if (x->ex_flags & EXFLAG_SS)
+ if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS)
return X509_TRUST_TRUSTED;
else
return X509_TRUST_UNTRUSTED;
# define X509_TRUST_MAX 8
/* trust_flags values */
-# define X509_TRUST_DYNAMIC 1
-# define X509_TRUST_DYNAMIC_NAME 2
+# define X509_TRUST_DYNAMIC (1U << 0)
+# define X509_TRUST_DYNAMIC_NAME (1U << 1)
+# define X509_TRUST_NO_SS_COMPAT (1U << 2)
/* check_trust return codes */