apps/verify:c: Enable output of multiple verification errors due to -x509_strict

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13606)

diff --git a/apps/verify.c b/apps/verify.c
index 9a226f03609b9ff30dc2ee8a7924300ce7aa901a..ba4a8c283deb51c68af788e0707c5e1e129be657 100644 (file)
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -356,13 +356,28 @@ static int cb(int ok, X509_STORE_CTX *ctx)
         case X509_V_ERR_INVALID_CA:
         case X509_V_ERR_INVALID_NON_CA:
         case X509_V_ERR_PATH_LENGTH_EXCEEDED:
-        case X509_V_ERR_INVALID_PURPOSE:
         case X509_V_ERR_CRL_HAS_EXPIRED:
         case X509_V_ERR_CRL_NOT_YET_VALID:
         case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
+            /* errors due to strict conformance checking (-x509_strict) */
+        case X509_V_ERR_INVALID_PURPOSE:
+        case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA:
+        case X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN:
+        case X509_V_ERR_CA_BCONS_NOT_CRITICAL:
+        case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE:
+        case X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA:
+        case X509_V_ERR_ISSUER_NAME_EMPTY:
+        case X509_V_ERR_SUBJECT_NAME_EMPTY:
+        case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL:
+        case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME:
+        case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY:
+        case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL:
+        case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL:
+        case X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER:
+        case X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER:
+        case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3:
             ok = 1;
         }
-
         return ok;
 
     }