From d33def662443c4b534c6b261a3b01f3960339c78 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Tue, 9 Feb 2016 14:17:13 -0500 Subject: [PATCH] Deprecate the -issuer_checks debugging option This was a developer debugging feature and was never a useful public interface. Added all missing X509 error codes to the verify(1) manpage, but many still need a description beyond the associated text string. Sorted the errors in x509_txt.c by error number. Reviewed-by: Stephen Henson --- apps/apps.h | 3 +- apps/opt.c | 2 +- crypto/x509/x509_txt.c | 27 ++-- crypto/x509/x509_vfy.c | 11 +- doc/apps/cms.pod | 11 +- doc/apps/ocsp.pod | 11 +- doc/apps/s_client.pod | 11 +- doc/apps/s_server.pod | 14 +- doc/apps/smime.pod | 11 +- doc/apps/verify.pod | 171 ++++++++++++++++++--- doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 8 +- include/openssl/x509_vfy.h | 14 +- 12 files changed, 198 insertions(+), 96 deletions(-) diff --git a/apps/apps.h b/apps/apps.h index 3c132e7a9b..d4c2b11b8b 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -207,8 +207,7 @@ void wait_for_async(SSL *s); "check peer certificate matches \"ipaddr\"" }, \ { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \ "Disable critical extension checking"}, \ - { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \ - "Enable debugging of certificate issuer checks"}, \ + { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \ { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \ { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \ { "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \ diff --git a/apps/opt.c b/apps/opt.c index 49db5b66e4..3525b969c6 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -557,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL); break; case OPT_V_ISSUER_CHECKS: - X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK); + /* NOP, deprecated */ break; case OPT_V_CRL_CHECK: X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK); diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 884c3afdd4..f7f27e97ef 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -90,10 +90,10 @@ const char *X509_verify_cert_error_string(long n) return ("CRL signature failure"); case X509_V_ERR_CERT_NOT_YET_VALID: return ("certificate is not yet valid"); - case X509_V_ERR_CRL_NOT_YET_VALID: - return ("CRL is not yet valid"); case X509_V_ERR_CERT_HAS_EXPIRED: return ("certificate has expired"); + case X509_V_ERR_CRL_NOT_YET_VALID: + return ("CRL is not yet valid"); case X509_V_ERR_CRL_HAS_EXPIRED: return ("CRL has expired"); case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: @@ -120,23 +120,14 @@ const char *X509_verify_cert_error_string(long n) return ("certificate revoked"); case X509_V_ERR_INVALID_CA: return ("invalid CA certificate"); - case X509_V_ERR_INVALID_NON_CA: - return ("invalid non-CA certificate (has CA markings)"); case X509_V_ERR_PATH_LENGTH_EXCEEDED: return ("path length constraint exceeded"); - case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: - return ("proxy path length constraint exceeded"); - case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: - return - ("proxy certificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_PURPOSE: return ("unsupported certificate purpose"); case X509_V_ERR_CERT_UNTRUSTED: return ("certificate not trusted"); case X509_V_ERR_CERT_REJECTED: return ("certificate rejected"); - case X509_V_ERR_APPLICATION_VERIFICATION: - return ("application verification failure"); case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: return ("subject issuer mismatch"); case X509_V_ERR_AKID_SKID_MISMATCH: @@ -151,10 +142,17 @@ const char *X509_verify_cert_error_string(long n) return ("unhandled critical extension"); case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: return ("key usage does not include CRL signing"); - case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: - return ("key usage does not include digital signature"); case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: return ("unhandled critical CRL extension"); + case X509_V_ERR_INVALID_NON_CA: + return ("invalid non-CA certificate (has CA markings)"); + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return ("proxy path length constraint exceeded"); + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return ("key usage does not include digital signature"); + case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + return + ("proxy certificates not allowed, please set the appropriate flag"); case X509_V_ERR_INVALID_EXTENSION: return ("invalid or inconsistent certificate extension"); case X509_V_ERR_INVALID_POLICY_EXTENSION: @@ -167,13 +165,14 @@ const char *X509_verify_cert_error_string(long n) return ("Unsupported extension feature"); case X509_V_ERR_UNNESTED_RESOURCE: return ("RFC 3779 resource not subset of parent's resources"); - case X509_V_ERR_PERMITTED_VIOLATION: return ("permitted subtree violation"); case X509_V_ERR_EXCLUDED_VIOLATION: return ("excluded subtree violation"); case X509_V_ERR_SUBTREE_MINMAX: return ("name constraints minimum and maximum not supported"); + case X509_V_ERR_APPLICATION_VERIFICATION: + return ("application verification failure"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: return ("unsupported name constraint type"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f8b9b503ac..ae07f37f36 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -318,16 +318,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) } } - if (ret == X509_V_OK) - return 1; - /* If we haven't asked for issuer errors don't set ctx */ - if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) - return 0; - - ctx->error = ret; - ctx->current_cert = x; - ctx->current_issuer = issuer; - return ctx->verify_cb(0, ctx); + return (ret == X509_V_OK); } /* Alternative lookup method: look from a STACK stored in other_ctx */ diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index da91c7f458..7470fae795 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -47,7 +47,6 @@ B B [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] -[B<-issuer_checks>] [B<-partial_chain>] [B<-policy arg>] [B<-policy_check>] @@ -472,12 +471,12 @@ then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, +B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, +B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, -B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, +B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, +B<-verify_name>, B<-x509_strict> Set various certificate chain validation options. See the L manual page for details. diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 30d133f05e..1ecd92887b 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -42,7 +42,6 @@ B B [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] -[B<-issuer_checks>] [B<-partial_chain>] [B<-policy arg>] [B<-policy_check>] @@ -193,12 +192,12 @@ Do not load the trusted CA certificates from the default file location Do not load the trusted CA certificates from the default directory location =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, +B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, +B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, -B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, +B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, +B<-verify_name>, B<-x509_strict> Set different certificate verification options. See L|verify(1)> manual page for details. diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 394c6494d7..c5fe64724d 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -34,7 +34,6 @@ B B [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] -[B<-issuer_checks>] [B<-partial_chain>] [B<-policy arg>] [B<-policy_check>] @@ -216,12 +215,12 @@ whitespace is ignored in the associated data field. For example: ... =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, +B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, +B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, -B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, +B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, +B<-verify_name>, B<-x509_strict> Set various certificate chain validation options. See the L manual page for details. diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index ffccdce051..890a8ead11 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -44,7 +44,6 @@ B B [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] -[B<-issuer_checks>] [B<-partial_chain>] [B<-policy arg>] [B<-policy_check>] @@ -224,12 +223,13 @@ must supply a certificate or an error occurs. If the ciphersuite cannot request a client certificate (for example an anonymous ciphersuite or PSK) this option has no effect. -=item B<-attime>, B<-check_ss_sig>, B, B<-extended_crl>, -B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, -B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, -B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, -B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>, -B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict> +=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, +B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, +B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, +B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, +B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, +B<-verify_name>, B<-x509_strict> Set different peer certificate verification options. See the L manual page for details. diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 0f4d3853c2..62f1417d52 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -29,7 +29,6 @@ B B [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] -[B<-issuer_checks>] [B<-partial_chain>] [B<-policy arg>] [B<-policy_check>] @@ -304,12 +303,12 @@ then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, -B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, -B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, +B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, +B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, -B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, +B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, +B<-verify_name>, B<-x509_strict> Set various options of certificate chain verification. See L manual page for details. diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index cd87b848ea..ac17a331df 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -24,7 +24,6 @@ B B [B<-ignore_critical>] [B<-inhibit_any>] [B<-inhibit_map>] -[B<-issuer_checks>] [B<-partial_chain>] [B<-policy arg>] [B<-policy_check>] @@ -49,7 +48,6 @@ B B [B<->] [certificates] - =head1 DESCRIPTION The B command verifies certificate chains. @@ -148,14 +146,6 @@ Set policy variable inhibit-any-policy (see RFC5280). Set policy variable inhibit-policy-mapping (see RFC5280). -=item B<-issuer_checks> - -Print out diagnostics relating to searches for the issuer certificate of the -current certificate. This shows why each candidate issuer certificate was -rejected. The presence of rejection messages does not itself imply that -anything is wrong; during the normal verification process, several -rejections may take place. - =item B<-partial_chain> Allow verification to succeed even if a I chain cannot be built to a @@ -386,6 +376,10 @@ as "unused". the operation was successful. +=item B<1 X509_V_ERR_UNSPECIFIED: unspecified certificate verification error> + +unspecified error, should not happen. + =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate> the issuer certificate of a looked up certificate could not be found. This @@ -505,31 +499,158 @@ the root CA is marked to reject the specified purpose. =item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch> -the current candidate issuer certificate was rejected because its subject name -did not match the issuer name of the current certificate. Only displayed when -the B<-issuer_checks> option is set. +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +B<-issuer_checks> option. =item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch> -the current candidate issuer certificate was rejected because its subject key -identifier was present and did not match the authority key identifier current -certificate. Only displayed when the B<-issuer_checks> option is set. +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +B<-issuer_checks> option. =item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch> -the current candidate issuer certificate was rejected because its issuer name -and serial number was present and did not match the authority key identifier -of the current certificate. Only displayed when the B<-issuer_checks> option is set. +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +B<-issuer_checks> option. + +=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN: key usage does not include certificate signing> + +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +B<-issuer_checks> option. + +=item B<33 X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate> + +TBA + +=item B<34 X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension> + +TBA + +=item B<35 X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing> + +TBA + +=item B<36 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension> + +TBA + +=item B<37 X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate has CA markings> + +TBA + +=item B<38 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded> + +TBA + +=item B<39 X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: key usage does not include digital signature> + +TBA + +=item B<40 X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: proxy certificates not allowed, please set the appropriate flag> + +TBA + +=item B<41 X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension> + +TBA + +=item B<42 X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension> + +TBA + +=item B<43 X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy> + +TBA + +=item B<44 X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope> + +TBA + +=item B<45 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature> + +TBA + +=item B<46 X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources> + +TBA + +=item B<47 X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation> -=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing> +TBA -the current candidate issuer certificate was rejected because its keyUsage extension -does not permit certificate signing. +=item B<48 X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation> + +TBA + +=item B<49 X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported> + +TBA =item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure> an application specific error. Unused. +=item B<51 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type> + +TBA + +=item B<52 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax> + +TBA + +=item B<53 X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax> + +TBA + +=item B<54 X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error> + +TBA + +=item B<55 X509_V_ERR_PATH_LOOP: Path Loop> + +TBA + +=item B<56 X509_V_ERR_SUITE_B_INVALID_VERSION: Suite B: certificate version invalid> + +TBA + +=item B<57 X509_V_ERR_SUITE_B_INVALID_ALGORITHM: Suite B: invalid public key algorithm> + +TBA + +=item B<58 X509_V_ERR_SUITE_B_INVALID_CURVE: Suite B: invalid ECC curve> + +TBA + +=item B<59 X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: Suite B: invalid signature algorithm> + +TBA + +=item B<60 X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: Suite B: curve not allowed for this LOS> + +TBA + +=item B<61 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: Suite B: cannot sign P-384 with P-256> + +TBA + +=item B<62 X509_V_ERR_HOSTNAME_MISMATCH: Hostname mismatch> + +TBA + +=item B<63 X509_V_ERR_EMAIL_MISMATCH: Email address mismatch> + +TBA + +=item B<64 X509_V_ERR_IP_ADDRESS_MISMATCH: IP address mismatch> + +TBA + +=item B<65 X509_V_ERR_DANE_NO_MATCH: No matching DANE TLSA records> + +DANE TLSA authentication is enabled, but no TLSA records matched the +certificate chain. +This error is only possible in L. + =back =head1 BUGS @@ -553,6 +674,10 @@ L =head1 HISTORY -The -show_chain option was first added to OpenSSL 1.1.0. +The B<-show_chain> option was first added to OpenSSL 1.1.0. + +The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and +is silently ignored. =cut + diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 53a063a48c..6fb33edd91 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -191,12 +191,6 @@ check the signature anyway. A side effect of not checking the root CA signature is that disabled or unsupported message digests on the root CA are not treated as fatal errors. -The B flag enables debugging of certificate -issuer checks. It is B needed unless you are logging certificate -verification. If this flag is set then additional status codes will be sent -to the verification callback and it B be prepared to handle such cases -without assuming they are hard errors. - If B is set, when constructing the certificate chain, L will search the trust store for issuer certificates before searching the provided untrusted certificates. @@ -253,5 +247,7 @@ L =head1 HISTORY The B flag was added in OpenSSL 1.1.0 +The legacy B flag is deprecated as of +OpenSSL 1.1.0, and has no effect. =cut diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 2ed1e4c007..f2bd0736b9 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -284,7 +284,6 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_OK 0 # define X509_V_ERR_UNSPECIFIED 1 - # define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 # define X509_V_ERR_UNABLE_TO_GET_CRL 3 # define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 @@ -317,7 +316,6 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_ERR_AKID_SKID_MISMATCH 30 # define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 # define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 - # define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 # define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 # define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 @@ -326,18 +324,17 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 # define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 # define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 - # define X509_V_ERR_INVALID_EXTENSION 41 # define X509_V_ERR_INVALID_POLICY_EXTENSION 42 # define X509_V_ERR_NO_EXPLICIT_POLICY 43 # define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 # define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 - # define X509_V_ERR_UNNESTED_RESOURCE 46 - # define X509_V_ERR_PERMITTED_VIOLATION 47 # define X509_V_ERR_EXCLUDED_VIOLATION 48 # define X509_V_ERR_SUBTREE_MINMAX 49 +/* The application is not happy */ +# define X509_V_ERR_APPLICATION_VERIFICATION 50 # define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 # define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 # define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 @@ -358,13 +355,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* DANE TLSA errors */ # define X509_V_ERR_DANE_NO_MATCH 65 -/* The application is not happy */ -# define X509_V_ERR_APPLICATION_VERIFICATION 50 /* Certificate verify flags */ -/* Send issuer+subject checks to verify_cb */ -# define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +# if OPENSSL_API_COMPAT < 0x10100000L +# define X509_V_FLAG_CB_ISSUER_CHECK 0x0 /* Deprecated */ +# endif /* Use check time instead of current time */ # define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Lookup CRLs */ -- 2.40.0