New verify flag to return success if we have any certificate in the

[openssl.git] / crypto / x509 / x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index d96d500f5c02623e33517c989151ff262d04c4da..1983eacf160483c188e6c3904cb9bac7a0bb21aa 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -756,6 +756,15 @@ static int check_trust(X509_STORE_CTX *ctx)
                                return X509_TRUST_REJECTED;
                        }
                }
+       /* If we accept partial chains and have at least one trusted
+        * certificate return success.
+        */
+       if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
+               {
+               if (ctx->last_untrusted < sk_X509_num(ctx->chain))
+                       return X509_TRUST_TRUSTED;
+               }
+
        /* If no trusted certs in chain at all return untrusted and
         * allow standard (no issuer cert) etc errors to be indicated.
         */