Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apps/verify:c: Enable output of multiple verification errors due to -x509_strict #13606

Closed
wants to merge 3 commits into from
Closed

apps/verify:c: Enable output of multiple verification errors due to -x509_strict #13606

wants to merge 3 commits into from

Conversation

DDvO
Copy link
Contributor

@DDvO DDvO commented Dec 3, 2020
edited

While handling #13471 I found that the verify app does not show all errors that should come up when strict X.509 checking is enabled. For instance, with missing AKID and SKID fields, the output of

apps/openssl verify -x509_strict -CAfile root.pem server.pem

should contain not only one, but two errors, namely these:

CN = server
error 85 at 0 depth lookup: Missing Authority Key Identifier
CN = root
error 86 at 1 depth lookup: Missing Subject Key Identifier
error server.pem: verification failed

which is achieved by this PR.

On this occasion I also

  • improved (correcting typos etc.) a couple of comments in x509_vfy.c
  • fixed two glitches in test/certs/setup.sh

@DDvO DDvO added the approval: otc review pending This pull request needs review by an OTC member label Dec 3, 2020
@DDvO DDvO force-pushed the extend-x509_strict-dianostics branch from 20c4f06 to 1ee5b36 Compare December 3, 2020 14:27
t8m
t8m approved these changes Dec 3, 2020
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@t8m t8m added approval: done This pull request has the required number of approvals branch: master Merge to master branch and removed approval: otc review pending This pull request needs review by an OTC member labels Dec 3, 2020
@DDvO
Copy link
Contributor Author

DDvO commented Dec 4, 2020

Merged - thanks @t8m

@DDvO DDvO closed this Dec 4, 2020
openssl-machine pushed a commit that referenced this pull request Dec 4, 2020
@DDvO
apps/verify:c: Enable output of multiple verification errors due to -…
f974b61 
…x509_strict

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from #13606)
openssl-machine pushed a commit that referenced this pull request Dec 4, 2020
@DDvO
x509_vfy.c: Improve comments (correcting typos etc.)
e99505b 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from #13606)
openssl-machine pushed a commit that referenced this pull request Dec 4, 2020
@DDvO
test/certs/setup.sh: Fix two glitches
d7cdb8b 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from #13606)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t8m t8m t8m approved these changes

Assignees
No one assigned
Labels
approval: done This pull request has the required number of approvals branch: master Merge to master branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@DDvO @t8m