Allow proxy certs to be present when verifying a chain

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

diff --git a/apps/apps.h b/apps/apps.h
index 616f1840c062a4ca8ea2178e0e9b0ea6b685a18f..319b02ef1948e3e9dd6a85109b7e85e4e141d0ff 100644 (file)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -85,7 +85,7 @@ int has_stdin_waiting(void);
         OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
         OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
         OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
-        OPT_V_VERIFY_AUTH_LEVEL, \
+        OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
         OPT_V__LAST
 
 # define OPT_V_OPTIONS \
@@ -135,7 +135,8 @@ int has_stdin_waiting(void);
         { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
             "accept chains anchored by intermediate trust-store CAs"}, \
         { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
-        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \
+        { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" }
 
 # define OPT_V_CASES \
         OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -167,7 +168,8 @@ int has_stdin_waiting(void);
         case OPT_V_SUITEB_192: \
         case OPT_V_PARTIAL_CHAIN: \
         case OPT_V_NO_ALT_CHAINS: \
-        case OPT_V_NO_CHECK_TIME
+        case OPT_V_NO_CHECK_TIME: \
+        case OPT_V_ALLOW_PROXY_CERTS
 
 /*
  * Common "extended"? options.

diff --git a/apps/opt.c b/apps/opt.c
index d694fe15f20d141e25d0118f619e65702516bfcc..f72ac64ec7a4eb020225d36a1238feca337131ba 100644 (file)
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -580,6 +580,9 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
     case OPT_V_NO_CHECK_TIME:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
         break;
+    case OPT_V_ALLOW_PROXY_CERTS:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_ALLOW_PROXY_CERTS);
+        break;
     }
     return 1;
 

diff --git a/apps/verify.c b/apps/verify.c
index 86d1b2a8517e3d28f9f7625b05c18464d9e4143b..40e19d45dc9ad6dd034d09784bc358d0b34ff159 100644 (file)
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -214,6 +214,7 @@ static int check(X509_STORE *ctx, char *file,
                (file == NULL) ? "stdin" : file);
         goto end;
     }
+
     X509_STORE_set_flags(ctx, vflags);
     if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
         printf("error %s: X.509 store context initialization failed\n",

diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 051cd624f1f6be42ce9793a395bfcb7c517422c6..0fd1799af25a20c394f4bd15480d7a735d881397 100644 (file)
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -12,6 +12,7 @@ B<openssl> B<verify>
 [B<-CApath directory>]
 [B<-no-CAfile>]
 [B<-no-CApath>]
+[B<-allow_proxy_certs>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-CRLfile file>]
@@ -83,6 +84,10 @@ Do not load the trusted CA certificates from the default file location
 
 Do not load the trusted CA certificates from the default directory location
 
+=item B<-allow_proxy_certs>
+
+Allow the verification of proxy certificates
+
 =item B<-attime timestamp>
 
 Perform validation checks using time specified by B<timestamp> and not
@@ -564,13 +569,18 @@ Invalid non-CA certificate has CA markings.
 
 Proxy path length constraint exceeded.
 
+=item B<X509_V_ERR_PROXY_SUBJECT_INVALID>
+
+Proxy certificate subject is invalid.  It MUST be the same as the issuer
+with a single CN component added.
+
 =item B<X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE>
 
 Key usage does not include digital signature.
 
 =item B<X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED>
 
-Proxy certificates not allowed, please set the appropriate flag.
+Proxy certificates not allowed, please use B<-allow_proxy_certs>.
 
 =item B<X509_V_ERR_INVALID_EXTENSION>