Add -no_alt_chains option to apps to implement the new

X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/apps/apps.c b/apps/apps.c
index 6d22a080205cbc0db6d1130ee325d3c1e9a2b079..7478fc379a55da980112bbcb17da402f7cdb22e8 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *pargc,
         flags |= X509_V_FLAG_SUITEB_192_LOS;
     else if (!strcmp(arg, "-partial_chain"))
         flags |= X509_V_FLAG_PARTIAL_CHAIN;
+    else if (!strcmp(arg, "-no_alt_chains"))
+        flags |= X509_V_FLAG_NO_ALT_CHAINS;
     else
         return 0;
 

diff --git a/apps/cms.c b/apps/cms.c
index d287a2ba4bae8969a0108a695a69821134a729b7..60479374cdf28e0ab13637012f3f1c25cd2ea01e 100644 (file)
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -645,6 +645,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,

diff --git a/apps/ocsp.c b/apps/ocsp.c
index ebb3732cd76f375c8737e851aba4aa4b93ae782e..b858b8d3ee0023b3c5acc42ffd699df5e2d2cf90 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -535,6 +535,8 @@ int MAIN(int argc, char **argv)
                    "-CApath dir          trusted certificates directory\n");
         BIO_printf(bio_err,
                    "-CAfile file         trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains       only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-VAfile file         validator certificates file\n");
         BIO_printf(bio_err,

diff --git a/apps/s_client.c b/apps/s_client.c
index d53bca14a0b75d29ff45ce1428f2c7d3d06acc1a..e55f2c5abc88b71df56c8fc4a937d24d9fc622f4 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -331,6 +331,8 @@ static void sc_usage(void)
                " -pass arg     - private key file pass phrase source\n");
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
+    BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
     BIO_printf(bio_err,
                " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
     BIO_printf(bio_err,

diff --git a/apps/s_server.c b/apps/s_server.c
index 2597e8c7085b2aa32c795dda33cea5e62493e87e..5d58fe0bdf82f5278da8022e02f6b7802e80f1dc 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -553,6 +553,8 @@ static void sv_usage(void)
     BIO_printf(bio_err, " -state        - Print the SSL states\n");
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
+    BIO_printf(bio_err,
+               " -no_alt_chains - only ever use the first certificate chain found\n");
     BIO_printf(bio_err,
                " -nocert       - Don't use any certificates (Anon-DH)\n");
     BIO_printf(bio_err,

diff --git a/apps/smime.c b/apps/smime.c
index 764509f23f47c351aa4a100f77e43f99abee433a..6044ccf5f5905f276cc9ce6b684d6b7e490a2aa4 100644 (file)
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -441,6 +441,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
+        BIO_printf(bio_err,
+                   "-no_alt_chains only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,

diff --git a/apps/verify.c b/apps/verify.c
index b3ba53d97f02ae095d6d9eea341523df0433b066..78e729fc890f992304a35ea7e88a2d9b94afd123 100644 (file)
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
     if (ret == 1) {
         BIO_printf(bio_err,
                    "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
-        BIO_printf(bio_err, " [-attime timestamp]");
+        BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
 #ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err, " [-engine e]");
 #endif