"check peer certificate matches \"ipaddr\"" }, \
{ "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
"Disable critical extension checking"}, \
- { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \
- "Enable debugging of certificate issuer checks"}, \
+ { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
{ "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
{ "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
{ "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
break;
case OPT_V_ISSUER_CHECKS:
- X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
+ /* NOP, deprecated */
break;
case OPT_V_CRL_CHECK:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
return ("CRL signature failure");
case X509_V_ERR_CERT_NOT_YET_VALID:
return ("certificate is not yet valid");
- case X509_V_ERR_CRL_NOT_YET_VALID:
- return ("CRL is not yet valid");
case X509_V_ERR_CERT_HAS_EXPIRED:
return ("certificate has expired");
+ case X509_V_ERR_CRL_NOT_YET_VALID:
+ return ("CRL is not yet valid");
case X509_V_ERR_CRL_HAS_EXPIRED:
return ("CRL has expired");
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
return ("certificate revoked");
case X509_V_ERR_INVALID_CA:
return ("invalid CA certificate");
- case X509_V_ERR_INVALID_NON_CA:
- return ("invalid non-CA certificate (has CA markings)");
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
return ("path length constraint exceeded");
- case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
- return ("proxy path length constraint exceeded");
- case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
- return
- ("proxy certificates not allowed, please set the appropriate flag");
case X509_V_ERR_INVALID_PURPOSE:
return ("unsupported certificate purpose");
case X509_V_ERR_CERT_UNTRUSTED:
return ("certificate not trusted");
case X509_V_ERR_CERT_REJECTED:
return ("certificate rejected");
- case X509_V_ERR_APPLICATION_VERIFICATION:
- return ("application verification failure");
case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
return ("subject issuer mismatch");
case X509_V_ERR_AKID_SKID_MISMATCH:
return ("unhandled critical extension");
case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
return ("key usage does not include CRL signing");
- case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
- return ("key usage does not include digital signature");
case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
return ("unhandled critical CRL extension");
+ case X509_V_ERR_INVALID_NON_CA:
+ return ("invalid non-CA certificate (has CA markings)");
+ case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+ return ("proxy path length constraint exceeded");
+ case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+ return ("key usage does not include digital signature");
+ case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+ return
+ ("proxy certificates not allowed, please set the appropriate flag");
case X509_V_ERR_INVALID_EXTENSION:
return ("invalid or inconsistent certificate extension");
case X509_V_ERR_INVALID_POLICY_EXTENSION:
return ("Unsupported extension feature");
case X509_V_ERR_UNNESTED_RESOURCE:
return ("RFC 3779 resource not subset of parent's resources");
-
case X509_V_ERR_PERMITTED_VIOLATION:
return ("permitted subtree violation");
case X509_V_ERR_EXCLUDED_VIOLATION:
return ("excluded subtree violation");
case X509_V_ERR_SUBTREE_MINMAX:
return ("name constraints minimum and maximum not supported");
+ case X509_V_ERR_APPLICATION_VERIFICATION:
+ return ("application verification failure");
case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
return ("unsupported name constraint type");
case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
}
}
- if (ret == X509_V_OK)
- return 1;
- /* If we haven't asked for issuer errors don't set ctx */
- if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
- return 0;
-
- ctx->error = ret;
- ctx->current_cert = x;
- ctx->current_issuer = issuer;
- return ctx->verify_cb(0, ctx);
+ return (ret == X509_V_OK);
}
/* Alternative lookup method: look from a STACK stored in other_ctx */
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
-[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
address matches that specified in the From: address.
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
L<verify(1)> manual page for details.
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
-[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
Do not load the trusted CA certificates from the default directory location
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
Set different certificate verification options.
See L<B<verify>|verify(1)> manual page for details.
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
-[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
...
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
L<verify(1)> manual page for details.
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
-[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
If the ciphersuite cannot request a client certificate (for example an
anonymous ciphersuite or PSK) this option has no effect.
-=item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,
-B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
-B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
-B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>,
-B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>,
-B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
+B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
Set different peer certificate verification options.
See the L<verify(1)> manual page for details.
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
-[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
address matches that specified in the From: address.
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
Set various options of certificate chain verification. See
L<verify(1)> manual page for details.
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
-[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
[B<->]
[certificates]
-
=head1 DESCRIPTION
The B<verify> command verifies certificate chains.
Set policy variable inhibit-policy-mapping (see RFC5280).
-=item B<-issuer_checks>
-
-Print out diagnostics relating to searches for the issuer certificate of the
-current certificate. This shows why each candidate issuer certificate was
-rejected. The presence of rejection messages does not itself imply that
-anything is wrong; during the normal verification process, several
-rejections may take place.
-
=item B<-partial_chain>
Allow verification to succeed even if a I<complete> chain cannot be built to a
the operation was successful.
+=item B<1 X509_V_ERR_UNSPECIFIED: unspecified certificate verification error>
+
+unspecified error, should not happen.
+
=item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
the issuer certificate of a looked up certificate could not be found. This
=item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
-the current candidate issuer certificate was rejected because its subject name
-did not match the issuer name of the current certificate. Only displayed when
-the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
=item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
-the current candidate issuer certificate was rejected because its subject key
-identifier was present and did not match the authority key identifier current
-certificate. Only displayed when the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
=item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
-the current candidate issuer certificate was rejected because its issuer name
-and serial number was present and did not match the authority key identifier
-of the current certificate. Only displayed when the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
+
+=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN: key usage does not include certificate signing>
+
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
+
+=item B<33 X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate>
+
+TBA
+
+=item B<34 X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension>
+
+TBA
+
+=item B<35 X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing>
+
+TBA
+
+=item B<36 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension>
+
+TBA
+
+=item B<37 X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate has CA markings>
+
+TBA
+
+=item B<38 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded>
+
+TBA
+
+=item B<39 X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: key usage does not include digital signature>
+
+TBA
+
+=item B<40 X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: proxy certificates not allowed, please set the appropriate flag>
+
+TBA
+
+=item B<41 X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension>
+
+TBA
+
+=item B<42 X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension>
+
+TBA
+
+=item B<43 X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
+
+TBA
+
+=item B<44 X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
+
+TBA
+
+=item B<45 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
+
+TBA
+
+=item B<46 X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources>
+
+TBA
+
+=item B<47 X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>
-=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
+TBA
-the current candidate issuer certificate was rejected because its keyUsage extension
-does not permit certificate signing.
+=item B<48 X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
+
+TBA
+
+=item B<49 X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported>
+
+TBA
=item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
an application specific error. Unused.
+=item B<51 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type>
+
+TBA
+
+=item B<52 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax>
+
+TBA
+
+=item B<53 X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax>
+
+TBA
+
+=item B<54 X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
+
+TBA
+
+=item B<55 X509_V_ERR_PATH_LOOP: Path Loop>
+
+TBA
+
+=item B<56 X509_V_ERR_SUITE_B_INVALID_VERSION: Suite B: certificate version invalid>
+
+TBA
+
+=item B<57 X509_V_ERR_SUITE_B_INVALID_ALGORITHM: Suite B: invalid public key algorithm>
+
+TBA
+
+=item B<58 X509_V_ERR_SUITE_B_INVALID_CURVE: Suite B: invalid ECC curve>
+
+TBA
+
+=item B<59 X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: Suite B: invalid signature algorithm>
+
+TBA
+
+=item B<60 X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: Suite B: curve not allowed for this LOS>
+
+TBA
+
+=item B<61 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: Suite B: cannot sign P-384 with P-256>
+
+TBA
+
+=item B<62 X509_V_ERR_HOSTNAME_MISMATCH: Hostname mismatch>
+
+TBA
+
+=item B<63 X509_V_ERR_EMAIL_MISMATCH: Email address mismatch>
+
+TBA
+
+=item B<64 X509_V_ERR_IP_ADDRESS_MISMATCH: IP address mismatch>
+
+TBA
+
+=item B<65 X509_V_ERR_DANE_NO_MATCH: No matching DANE TLSA records>
+
+DANE TLSA authentication is enabled, but no TLSA records matched the
+certificate chain.
+This error is only possible in L<s_client(1)>.
+
=back
=head1 BUGS
=head1 HISTORY
-The -show_chain option was first added to OpenSSL 1.1.0.
+The B<-show_chain> option was first added to OpenSSL 1.1.0.
+
+The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
+is silently ignored.
=cut
+
signature is that disabled or unsupported message digests on the root CA
are not treated as fatal errors.
-The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate
-issuer checks. It is B<not> needed unless you are logging certificate
-verification. If this flag is set then additional status codes will be sent
-to the verification callback and it B<must> be prepared to handle such cases
-without assuming they are hard errors.
-
If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain,
L<X509_verify_cert(3)> will search the trust store for issuer certificates before
searching the provided untrusted certificates.
=head1 HISTORY
The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0
+The legacy B<X509_V_FLAG_CB_ISSUER_CHECK> flag is deprecated as of
+OpenSSL 1.1.0, and has no effect.
=cut
# define X509_V_OK 0
# define X509_V_ERR_UNSPECIFIED 1
-
# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
# define X509_V_ERR_UNABLE_TO_GET_CRL 3
# define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
# define X509_V_ERR_AKID_SKID_MISMATCH 30
# define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
# define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
-
# define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
# define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
# define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
# define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
# define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
# define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
-
# define X509_V_ERR_INVALID_EXTENSION 41
# define X509_V_ERR_INVALID_POLICY_EXTENSION 42
# define X509_V_ERR_NO_EXPLICIT_POLICY 43
# define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
# define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
-
# define X509_V_ERR_UNNESTED_RESOURCE 46
-
# define X509_V_ERR_PERMITTED_VIOLATION 47
# define X509_V_ERR_EXCLUDED_VIOLATION 48
# define X509_V_ERR_SUBTREE_MINMAX 49
+/* The application is not happy */
+# define X509_V_ERR_APPLICATION_VERIFICATION 50
# define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
# define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
# define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
/* DANE TLSA errors */
# define X509_V_ERR_DANE_NO_MATCH 65
-/* The application is not happy */
-# define X509_V_ERR_APPLICATION_VERIFICATION 50
/* Certificate verify flags */
-/* Send issuer+subject checks to verify_cb */
-# define X509_V_FLAG_CB_ISSUER_CHECK 0x1
+# if OPENSSL_API_COMPAT < 0x10100000L
+# define X509_V_FLAG_CB_ISSUER_CHECK 0x0 /* Deprecated */
+# endif
/* Use check time instead of current time */
# define X509_V_FLAG_USE_CHECK_TIME 0x2
/* Lookup CRLs */
projects / openssl / commitdiff