From 51e7a4378a78bb0870a2cdc5c524c230c929ebcb Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 13 Dec 2012 18:14:46 +0000 Subject: [PATCH] New verify flag to return success if we have any certificate in the trusted store instead of the default which is to return an error if we can't build the complete chain. --- apps/apps.c | 2 ++ crypto/x509/x509_vfy.c | 9 +++++++++ crypto/x509/x509_vfy.h | 2 ++ 3 files changed, 13 insertions(+) diff --git a/apps/apps.c b/apps/apps.c index 7f057fb4b2303..984582111c6a7 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2527,6 +2527,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_SUITEB_128_LOS; else if (!strcmp(arg, "-suiteB_192")) flags |= X509_V_FLAG_SUITEB_192_LOS; + else if (!strcmp(arg, "-partial_chain")) + flags |= X509_V_FLAG_PARTIAL_CHAIN; else return 0; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index d96d500f5c026..1983eacf16048 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -756,6 +756,15 @@ static int check_trust(X509_STORE_CTX *ctx) return X509_TRUST_REJECTED; } } + /* If we accept partial chains and have at least one trusted + * certificate return success. + */ + if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) + { + if (ctx->last_untrusted < sk_X509_num(ctx->chain)) + return X509_TRUST_TRUSTED; + } + /* If no trusted certs in chain at all return untrusted and * allow standard (no issuer cert) etc errors to be indicated. */ diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 58eff53f7211b..a8d61e6e43f58 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -416,6 +416,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_SUITEB_192_LOS 0x20000 /* Suite B 128 bit mode allowing 192 bit algorithms */ #define X509_V_FLAG_SUITEB_128_LOS 0x30000 +/* Allow partial chains if at least one certificate is in trusted store */ +#define X509_V_FLAG_PARTIAL_CHAIN 0x80000 #define X509_VP_FLAG_DEFAULT 0x1