Deprecate the -issuer_checks debugging option

This was a developer debugging feature and was never a useful public
interface.

Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.

Sorted the errors in x509_txt.c by error number.

Reviewed-by: Stephen Henson <steve@openssl.org>

diff --git a/apps/apps.h b/apps/apps.h
index 3c132e7a9b4b6ef2c56c9434fada154207e92af0..d4c2b11b8bc22911d6f0c311f615126a89671d6b 100644 (file)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -207,8 +207,7 @@ void wait_for_async(SSL *s);
             "check peer certificate matches \"ipaddr\"" }, \
         { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
             "Disable critical extension checking"}, \
             "check peer certificate matches \"ipaddr\"" }, \
         { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
             "Disable critical extension checking"}, \

-        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \
-            "Enable debugging of certificate issuer checks"}, \
+        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \

         { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
         { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
         { "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \
         { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
         { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
         { "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \

diff --git a/apps/opt.c b/apps/opt.c
index 49db5b66e407bd0ac9eb84250ed7b538bf424cda..3525b969c655e1dd351f4c17d2e481a98c35fb63 100644 (file)
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -557,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
         break;
     case OPT_V_ISSUER_CHECKS:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
         break;
     case OPT_V_ISSUER_CHECKS:

-        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
+        /* NOP, deprecated */

         break;
     case OPT_V_CRL_CHECK:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
         break;
     case OPT_V_CRL_CHECK:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);

diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 884c3afdd4336a13568b2d78c279a9ca766da900..f7f27e97ef37f4207bc91733498f4ec20ca7b6dd 100644 (file)
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -90,10 +90,10 @@ const char *X509_verify_cert_error_string(long n)
         return ("CRL signature failure");
     case X509_V_ERR_CERT_NOT_YET_VALID:
         return ("certificate is not yet valid");
         return ("CRL signature failure");
     case X509_V_ERR_CERT_NOT_YET_VALID:
         return ("certificate is not yet valid");

-    case X509_V_ERR_CRL_NOT_YET_VALID:
-        return ("CRL is not yet valid");

     case X509_V_ERR_CERT_HAS_EXPIRED:
         return ("certificate has expired");
     case X509_V_ERR_CERT_HAS_EXPIRED:
         return ("certificate has expired");

+    case X509_V_ERR_CRL_NOT_YET_VALID:
+        return ("CRL is not yet valid");

     case X509_V_ERR_CRL_HAS_EXPIRED:
         return ("CRL has expired");
     case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
     case X509_V_ERR_CRL_HAS_EXPIRED:
         return ("CRL has expired");
     case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:


@@ -120,23 +120,14 @@ const char *X509_verify_cert_error_string(long n)
         return ("certificate revoked");
     case X509_V_ERR_INVALID_CA:
         return ("invalid CA certificate");
         return ("certificate revoked");
     case X509_V_ERR_INVALID_CA:
         return ("invalid CA certificate");

-    case X509_V_ERR_INVALID_NON_CA:
-        return ("invalid non-CA certificate (has CA markings)");

     case X509_V_ERR_PATH_LENGTH_EXCEEDED:
         return ("path length constraint exceeded");
     case X509_V_ERR_PATH_LENGTH_EXCEEDED:
         return ("path length constraint exceeded");

-    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
-        return ("proxy path length constraint exceeded");
-    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
-        return
-            ("proxy certificates not allowed, please set the appropriate flag");

     case X509_V_ERR_INVALID_PURPOSE:
         return ("unsupported certificate purpose");
     case X509_V_ERR_CERT_UNTRUSTED:
         return ("certificate not trusted");
     case X509_V_ERR_CERT_REJECTED:
         return ("certificate rejected");
     case X509_V_ERR_INVALID_PURPOSE:
         return ("unsupported certificate purpose");
     case X509_V_ERR_CERT_UNTRUSTED:
         return ("certificate not trusted");
     case X509_V_ERR_CERT_REJECTED:
         return ("certificate rejected");

-    case X509_V_ERR_APPLICATION_VERIFICATION:
-        return ("application verification failure");

     case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
         return ("subject issuer mismatch");
     case X509_V_ERR_AKID_SKID_MISMATCH:
     case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
         return ("subject issuer mismatch");
     case X509_V_ERR_AKID_SKID_MISMATCH:


@@ -151,10 +142,17 @@ const char *X509_verify_cert_error_string(long n)
         return ("unhandled critical extension");
     case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
         return ("key usage does not include CRL signing");
         return ("unhandled critical extension");
     case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
         return ("key usage does not include CRL signing");

-    case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
-        return ("key usage does not include digital signature");

     case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
         return ("unhandled critical CRL extension");
     case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
         return ("unhandled critical CRL extension");

+    case X509_V_ERR_INVALID_NON_CA:
+        return ("invalid non-CA certificate (has CA markings)");
+    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+        return ("proxy path length constraint exceeded");
+    case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+        return ("key usage does not include digital signature");
+    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+        return
+            ("proxy certificates not allowed, please set the appropriate flag");

     case X509_V_ERR_INVALID_EXTENSION:
         return ("invalid or inconsistent certificate extension");
     case X509_V_ERR_INVALID_POLICY_EXTENSION:
     case X509_V_ERR_INVALID_EXTENSION:
         return ("invalid or inconsistent certificate extension");
     case X509_V_ERR_INVALID_POLICY_EXTENSION:


@@ -167,13 +165,14 @@ const char *X509_verify_cert_error_string(long n)
         return ("Unsupported extension feature");
     case X509_V_ERR_UNNESTED_RESOURCE:
         return ("RFC 3779 resource not subset of parent's resources");
         return ("Unsupported extension feature");
     case X509_V_ERR_UNNESTED_RESOURCE:
         return ("RFC 3779 resource not subset of parent's resources");

-

     case X509_V_ERR_PERMITTED_VIOLATION:
         return ("permitted subtree violation");
     case X509_V_ERR_EXCLUDED_VIOLATION:
         return ("excluded subtree violation");
     case X509_V_ERR_SUBTREE_MINMAX:
         return ("name constraints minimum and maximum not supported");
     case X509_V_ERR_PERMITTED_VIOLATION:
         return ("permitted subtree violation");
     case X509_V_ERR_EXCLUDED_VIOLATION:
         return ("excluded subtree violation");
     case X509_V_ERR_SUBTREE_MINMAX:
         return ("name constraints minimum and maximum not supported");

+    case X509_V_ERR_APPLICATION_VERIFICATION:
+        return ("application verification failure");

     case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
         return ("unsupported name constraint type");
     case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
     case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
         return ("unsupported name constraint type");
     case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f8b9b503ac0527a5e202e4f9d092abe0b074fd16..ae07f37f36d27c2fcf0d72eb5280831fab516f26 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -318,16 +318,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
         }
     }
 
         }
     }
 

-    if (ret == X509_V_OK)
-        return 1;
-    /* If we haven't asked for issuer errors don't set ctx */
-    if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
-        return 0;
-
-    ctx->error = ret;
-    ctx->current_cert = x;
-    ctx->current_issuer = issuer;
-    return ctx->verify_cb(0, ctx);
+    return (ret == X509_V_OK);

 }
 
 /* Alternative lookup method: look from a STACK stored in other_ctx */
 }
 
 /* Alternative lookup method: look from a STACK stored in other_ctx */

diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index da91c7f458e257ab751e13244353c99b6c01ef1e..7470fae795c2fd6bb97fddc9d20b3d05e6bca521 100644 (file)
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -47,7 +47,6 @@ B<openssl> B<cms>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]

-[B<-issuer_checks>]

 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]


@@ -472,12 +471,12 @@ then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
 address matches that specified in the From: address.
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,

-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,

 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,

-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>

 
 Set various certificate chain validation options. See the
 L<verify(1)> manual page for details.
 
 Set various certificate chain validation options. See the
 L<verify(1)> manual page for details.

diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 30d133f05e0f3a083ac5ec23b0bb76985dcd3d86..1ecd92887b236ae4640259fdf55a63cf0b65fe19 100644 (file)
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -42,7 +42,6 @@ B<openssl> B<ocsp>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]

-[B<-issuer_checks>]

 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]


@@ -193,12 +192,12 @@ Do not load the trusted CA certificates from the default file location
 Do not load the trusted CA certificates from the default directory location
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
 Do not load the trusted CA certificates from the default directory location
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,

-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,

 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,

-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>

 
 Set different certificate verification options.
 See L<B<verify>|verify(1)> manual page for details.
 
 Set different certificate verification options.
 See L<B<verify>|verify(1)> manual page for details.

diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 394c6494d71c3c1799b0a3949ac35f875fa504e8..c5fe64724d7e6f1b0a2bdc1b49aa0063560b011e 100644 (file)
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -34,7 +34,6 @@ B<openssl> B<s_client>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]

-[B<-issuer_checks>]

 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]


@@ -216,12 +215,12 @@ whitespace is ignored in the associated data field.  For example:
   ...
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
   ...
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,

-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,

 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,

-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>

 
 Set various certificate chain validation options. See the
 L<verify(1)> manual page for details.
 
 Set various certificate chain validation options. See the
 L<verify(1)> manual page for details.

diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index ffccdce05110dbc4900cc09156ffc36a029cb16a..890a8ead11e80afc83ecc39890970c1603876e24 100644 (file)
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -44,7 +44,6 @@ B<openssl> B<s_server>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]

-[B<-issuer_checks>]

 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]


@@ -224,12 +223,13 @@ must supply a certificate or an error occurs.
 If the ciphersuite cannot request a client certificate (for example an
 anonymous ciphersuite or PSK) this option has no effect.
 
 If the ciphersuite cannot request a client certificate (for example an
 anonymous ciphersuite or PSK) this option has no effect.
 

-=item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,
-B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
-B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
-B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>,
-B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>,
-B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
+B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>

 
 Set different peer certificate verification options.
 See the L<verify(1)> manual page for details.
 
 Set different peer certificate verification options.
 See the L<verify(1)> manual page for details.

diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index 0f4d3853c24a81982a5f6f332876af1bb6048ebc..62f1417d524e704051c9ae5ff1da110034f8cc32 100644 (file)
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -29,7 +29,6 @@ B<openssl> B<smime>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]

-[B<-issuer_checks>]

 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]


@@ -304,12 +303,12 @@ then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
 address matches that specified in the From: address.
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,

-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,

 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,

-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>

 
 Set various options of certificate chain verification. See
 L<verify(1)> manual page for details.
 
 Set various options of certificate chain verification. See
 L<verify(1)> manual page for details.

diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index cd87b848ea588ba4ae329b8c075910b82753818b..ac17a331df10989335a53b1877315e9d1ceb2955 100644 (file)
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -24,7 +24,6 @@ B<openssl> B<verify>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]

-[B<-issuer_checks>]

 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]


@@ -49,7 +48,6 @@ B<openssl> B<verify>
 [B<->]
 [certificates]
 
 [B<->]
 [certificates]
 

-

 =head1 DESCRIPTION
 
 The B<verify> command verifies certificate chains.
 =head1 DESCRIPTION
 
 The B<verify> command verifies certificate chains.


@@ -148,14 +146,6 @@ Set policy variable inhibit-any-policy (see RFC5280).
 
 Set policy variable inhibit-policy-mapping (see RFC5280).
 
 
 Set policy variable inhibit-policy-mapping (see RFC5280).
 

-=item B<-issuer_checks>
-
-Print out diagnostics relating to searches for the issuer certificate of the
-current certificate. This shows why each candidate issuer certificate was
-rejected. The presence of rejection messages does not itself imply that
-anything is wrong; during the normal verification process, several
-rejections may take place.
-

 =item B<-partial_chain>
 
 Allow verification to succeed even if a I<complete> chain cannot be built to a
 =item B<-partial_chain>
 
 Allow verification to succeed even if a I<complete> chain cannot be built to a


@@ -386,6 +376,10 @@ as "unused".
 
 the operation was successful.
 
 
 the operation was successful.
 

+=item B<1 X509_V_ERR_UNSPECIFIED: unspecified certificate verification error>
+
+unspecified error, should not happen.
+

 =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
 
 the issuer certificate of a looked up certificate could not be found. This
 =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
 
 the issuer certificate of a looked up certificate could not be found. This


@@ -505,31 +499,158 @@ the root CA is marked to reject the specified purpose.
 
 =item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
 
 
 =item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
 

-the current candidate issuer certificate was rejected because its subject name
-did not match the issuer name of the current certificate. Only displayed when
-the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.

 
 =item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
 
 
 =item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
 

-the current candidate issuer certificate was rejected because its subject key
-identifier was present and did not match the authority key identifier current
-certificate. Only displayed when the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.

 
 =item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
 
 
 =item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
 

-the current candidate issuer certificate was rejected because its issuer name
-and serial number was present and did not match the authority key identifier
-of the current certificate. Only displayed when the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
+
+=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN: key usage does not include certificate signing>
+
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
+
+=item B<33 X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate>
+
+TBA
+
+=item B<34 X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension>
+
+TBA
+
+=item B<35 X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing>
+
+TBA
+
+=item B<36 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension>
+
+TBA
+
+=item B<37 X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate has CA markings>
+
+TBA
+
+=item B<38 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded>
+
+TBA
+
+=item B<39 X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: key usage does not include digital signature>
+
+TBA
+
+=item B<40 X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: proxy certificates not allowed, please set the appropriate flag>
+
+TBA
+
+=item B<41 X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension>
+
+TBA
+
+=item B<42 X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension>
+
+TBA
+
+=item B<43 X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
+
+TBA
+
+=item B<44 X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
+
+TBA
+
+=item B<45 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
+
+TBA
+
+=item B<46 X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources>
+
+TBA
+
+=item B<47 X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>

 
 

-=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
+TBA

 
 

-the current candidate issuer certificate was rejected because its keyUsage extension
-does not permit certificate signing.
+=item B<48 X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
+
+TBA
+
+=item B<49 X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported>
+
+TBA

 
 =item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
 
 an application specific error. Unused.
 
 
 =item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
 
 an application specific error. Unused.
 

+=item B<51 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type>
+
+TBA
+
+=item B<52 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax>
+
+TBA
+
+=item B<53 X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax>
+
+TBA
+
+=item B<54 X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
+
+TBA
+
+=item B<55 X509_V_ERR_PATH_LOOP: Path Loop>
+
+TBA
+
+=item B<56 X509_V_ERR_SUITE_B_INVALID_VERSION: Suite B: certificate version invalid>
+
+TBA
+
+=item B<57 X509_V_ERR_SUITE_B_INVALID_ALGORITHM: Suite B: invalid public key algorithm>
+
+TBA
+
+=item B<58 X509_V_ERR_SUITE_B_INVALID_CURVE: Suite B: invalid ECC curve>
+
+TBA
+
+=item B<59 X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: Suite B: invalid signature algorithm>
+
+TBA
+
+=item B<60 X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: Suite B: curve not allowed for this LOS>
+
+TBA
+
+=item B<61 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: Suite B: cannot sign P-384 with P-256>
+
+TBA
+
+=item B<62 X509_V_ERR_HOSTNAME_MISMATCH: Hostname mismatch>
+
+TBA
+
+=item B<63 X509_V_ERR_EMAIL_MISMATCH: Email address mismatch>
+
+TBA
+
+=item B<64 X509_V_ERR_IP_ADDRESS_MISMATCH: IP address mismatch>
+
+TBA
+
+=item B<65 X509_V_ERR_DANE_NO_MATCH: No matching DANE TLSA records>
+
+DANE TLSA authentication is enabled, but no TLSA records matched the
+certificate chain.
+This error is only possible in L<s_client(1)>.
+

 =back
 
 =head1 BUGS
 =back
 
 =head1 BUGS


@@ -553,6 +674,10 @@ L<x509(1)>
 
 =head1 HISTORY
 
 
 =head1 HISTORY
 

-The -show_chain option was first added to OpenSSL 1.1.0.
+The B<-show_chain> option was first added to OpenSSL 1.1.0.
+
+The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
+is silently ignored.

 
 =cut
 
 =cut

+

diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 53a063a48c937efd93bdc475801791b66dcf5db1..6fb33edd9101312b0e9e3d772e3b8fe4553393cb 100644 (file)
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -191,12 +191,6 @@ check the signature anyway. A side effect of not checking the root CA
 signature is that disabled or unsupported message digests on the root CA
 are not treated as fatal errors.
 
 signature is that disabled or unsupported message digests on the root CA
 are not treated as fatal errors.
 

-The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate
-issuer checks. It is B<not> needed unless you are logging certificate
-verification. If this flag is set then additional status codes will be sent
-to the verification callback and it B<must> be prepared to handle such cases
-without assuming they are hard errors.
-

 If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain,
 L<X509_verify_cert(3)> will search the trust store for issuer certificates before
 searching the provided untrusted certificates.
 If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain,
 L<X509_verify_cert(3)> will search the trust store for issuer certificates before
 searching the provided untrusted certificates.


@@ -253,5 +247,7 @@ L<X509_check_ip(3)>
 =head1 HISTORY
 
 The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0
 =head1 HISTORY
 
 The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0

+The legacy B<X509_V_FLAG_CB_ISSUER_CHECK> flag is deprecated as of
+OpenSSL 1.1.0, and has no effect.

 
 =cut
 
 =cut

diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 2ed1e4c00715696050be495874070f40b14ffed9..f2bd0736b94f3172216ed567f0749d628224cbd9 100644 (file)
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -284,7 +284,6 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 
 # define         X509_V_OK                                       0
 # define         X509_V_ERR_UNSPECIFIED                          1
 
 # define         X509_V_OK                                       0
 # define         X509_V_ERR_UNSPECIFIED                          1

-

 # define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
 # define         X509_V_ERR_UNABLE_TO_GET_CRL                    3
 # define         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE     4
 # define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
 # define         X509_V_ERR_UNABLE_TO_GET_CRL                    3
 # define         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE     4


@@ -317,7 +316,6 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_AKID_SKID_MISMATCH                   30
 # define         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
 # define         X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32
 # define         X509_V_ERR_AKID_SKID_MISMATCH                   30
 # define         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
 # define         X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32

-

 # define         X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER             33
 # define         X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
 # define         X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35
 # define         X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER             33
 # define         X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
 # define         X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35


@@ -326,18 +324,17 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED           38
 # define         X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE        39
 # define         X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED       40
 # define         X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED           38
 # define         X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE        39
 # define         X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED       40

-

 # define         X509_V_ERR_INVALID_EXTENSION                    41
 # define         X509_V_ERR_INVALID_POLICY_EXTENSION             42
 # define         X509_V_ERR_NO_EXPLICIT_POLICY                   43
 # define         X509_V_ERR_DIFFERENT_CRL_SCOPE                  44
 # define         X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE        45
 # define         X509_V_ERR_INVALID_EXTENSION                    41
 # define         X509_V_ERR_INVALID_POLICY_EXTENSION             42
 # define         X509_V_ERR_NO_EXPLICIT_POLICY                   43
 # define         X509_V_ERR_DIFFERENT_CRL_SCOPE                  44
 # define         X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE        45

-

 # define         X509_V_ERR_UNNESTED_RESOURCE                    46
 # define         X509_V_ERR_UNNESTED_RESOURCE                    46

-

 # define         X509_V_ERR_PERMITTED_VIOLATION                  47
 # define         X509_V_ERR_EXCLUDED_VIOLATION                   48
 # define         X509_V_ERR_SUBTREE_MINMAX                       49
 # define         X509_V_ERR_PERMITTED_VIOLATION                  47
 # define         X509_V_ERR_EXCLUDED_VIOLATION                   48
 # define         X509_V_ERR_SUBTREE_MINMAX                       49

+/* The application is not happy */
+# define         X509_V_ERR_APPLICATION_VERIFICATION             50

 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE          51
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX        52
 # define         X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE          51
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX        52
 # define         X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53


@@ -358,13 +355,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 /* DANE TLSA errors */
 # define         X509_V_ERR_DANE_NO_MATCH                        65
 
 /* DANE TLSA errors */
 # define         X509_V_ERR_DANE_NO_MATCH                        65
 

-/* The application is not happy */
-# define         X509_V_ERR_APPLICATION_VERIFICATION             50

 
 /* Certificate verify flags */
 
 
 /* Certificate verify flags */
 

-/* Send issuer+subject checks to verify_cb */
-# define X509_V_FLAG_CB_ISSUER_CHECK             0x1
+# if OPENSSL_API_COMPAT < 0x10100000L
+#  define X509_V_FLAG_CB_ISSUER_CHECK             0x0   /* Deprecated */
+# endif

 /* Use check time instead of current time */
 # define X509_V_FLAG_USE_CHECK_TIME              0x2
 /* Lookup CRLs */
 /* Use check time instead of current time */
 # define X509_V_FLAG_USE_CHECK_TIME              0x2
 /* Lookup CRLs */