You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
330 lines
15 KiB
330 lines
15 KiB
diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c |
|
--- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/apps/apps.c 2013-08-16 15:42:39.920534769 +0200 |
|
@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg |
|
flags |= X509_V_FLAG_NOTIFY_POLICY; |
|
else if (!strcmp(arg, "-check_ss_sig")) |
|
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; |
|
+ else if (!strcmp(arg, "-trusted_first")) |
|
+ flags |= X509_V_FLAG_TRUSTED_FIRST; |
|
else |
|
return 0; |
|
|
|
diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c |
|
--- openssl-1.0.1e/apps/cms.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/apps/cms.c 2013-08-16 15:43:56.671213879 +0200 |
|
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv) |
|
BIO_printf (bio_err, "-text include or delete text MIME headers\n"); |
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); |
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); |
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); |
|
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); |
|
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); |
|
#ifndef OPENSSL_NO_ENGINE |
|
diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c |
|
--- openssl-1.0.1e/apps/ocsp.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/apps/ocsp.c 2013-08-16 15:49:47.477572414 +0200 |
|
@@ -595,6 +595,7 @@ int MAIN(int argc, char **argv) |
|
BIO_printf (bio_err, "-path path to use in OCSP request\n"); |
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); |
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); |
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); |
|
BIO_printf (bio_err, "-VAfile file validator certificates file\n"); |
|
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); |
|
BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); |
|
diff -up openssl-1.0.1e/apps/s_client.c.trusted-first openssl-1.0.1e/apps/s_client.c |
|
--- openssl-1.0.1e/apps/s_client.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/apps/s_client.c 2013-08-16 15:49:00.727542994 +0200 |
|
@@ -298,6 +298,7 @@ static void sc_usage(void) |
|
BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); |
|
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); |
|
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); |
|
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n"); |
|
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); |
|
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); |
|
BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); |
|
diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c |
|
--- openssl-1.0.1e/apps/smime.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/apps/smime.c 2013-08-16 15:46:44.024875150 +0200 |
|
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv) |
|
BIO_printf (bio_err, "-text include or delete text MIME headers\n"); |
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); |
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); |
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); |
|
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); |
|
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); |
|
#ifndef OPENSSL_NO_ENGINE |
|
diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_server.c |
|
--- openssl-1.0.1e/apps/s_server.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/apps/s_server.c 2013-08-16 15:48:19.469634430 +0200 |
|
@@ -501,6 +501,7 @@ static void sv_usage(void) |
|
BIO_printf(bio_err," -state - Print the SSL states\n"); |
|
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); |
|
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); |
|
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n"); |
|
BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); |
|
BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); |
|
BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); |
|
diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c |
|
--- openssl-1.0.1e/apps/s_time.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/apps/s_time.c 2013-08-16 15:47:35.862674188 +0200 |
|
@@ -179,6 +179,7 @@ static void s_time_usage(void) |
|
file if not specified by this option\n\ |
|
-CApath arg - PEM format directory of CA's\n\ |
|
-CAfile arg - PEM format file of CA's\n\ |
|
+-trusted_first - Use trusted CA's first when building the trust chain\n\ |
|
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; |
|
|
|
printf( "usage: s_time <args>\n\n" ); |
|
diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c |
|
--- openssl-1.0.1e/apps/ts.c.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/apps/ts.c 2013-08-16 15:45:27.766206812 +0200 |
|
@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv) |
|
"ts -verify [-data file_to_hash] [-digest digest_bytes] " |
|
"[-queryfile request.tsq] " |
|
"-in response.tsr [-token_in] " |
|
- "-CApath ca_path -CAfile ca_file.pem " |
|
+ "-CApath ca_path -CAfile ca_file.pem -trusted_first" |
|
"-untrusted cert_file.pem\n"); |
|
cleanup: |
|
/* Clean up. */ |
|
diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c |
|
--- openssl-1.0.1e/apps/verify.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/apps/verify.c 2013-08-16 15:46:09.720124654 +0200 |
|
@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv) |
|
|
|
end: |
|
if (ret == 1) { |
|
- BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); |
|
+ BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); |
|
BIO_printf(bio_err," [-attime timestamp]"); |
|
#ifndef OPENSSL_NO_ENGINE |
|
BIO_printf(bio_err," [-engine e]"); |
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c |
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-08-16 15:42:39.864533545 +0200 |
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:42:39.921534791 +0200 |
|
@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx |
|
|
|
/* If we are self signed, we break */ |
|
if (ctx->check_issued(ctx, x,x)) break; |
|
+ /* If asked see if we can find issuer in trusted store first */ |
|
+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) |
|
+ { |
|
+ ok = ctx->get_issuer(&xtmp, ctx, x); |
|
+ if (ok < 0) |
|
+ return ok; |
|
+ /* If successful for now free up cert so it |
|
+ * will be picked up again later. |
|
+ */ |
|
+ if (ok > 0) |
|
+ { |
|
+ X509_free(xtmp); |
|
+ break; |
|
+ } |
|
+ } |
|
|
|
/* If we were passed a cert chain, use it first */ |
|
if (ctx->untrusted != NULL) |
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h |
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-08-16 15:42:39.356522432 +0200 |
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-08-16 15:42:39.922534813 +0200 |
|
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE |
|
#define X509_V_FLAG_USE_DELTAS 0x2000 |
|
/* Check selfsigned CA signature */ |
|
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 |
|
+/* Use trusted store first */ |
|
+#define X509_V_FLAG_TRUSTED_FIRST 0x8000 |
|
|
|
|
|
#define X509_VP_FLAG_DEFAULT 0x1 |
|
diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/cms.pod |
|
--- openssl-1.0.1e/doc/apps/cms.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 15:50:48.723921117 +0200 |
|
@@ -35,6 +35,7 @@ B<openssl> B<cms> |
|
[B<-print>] |
|
[B<-CAfile file>] |
|
[B<-CApath dir>] |
|
+[B<-trusted_first>] |
|
[B<-md digest>] |
|
[B<-[cipher]>] |
|
[B<-nointern>] |
|
@@ -238,6 +239,12 @@ B<-verify>. This directory must be a sta |
|
is a hash of each subject name (using B<x509 -hash>) should be linked |
|
to each certificate. |
|
|
|
+=item B<-trusted_first> |
|
+ |
|
+Use certificates in CA file or CA directory before untrusted certificates |
|
+from the message when building the trust chain to verify certificates. |
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |
|
+ |
|
=item B<-md digest> |
|
|
|
digest algorithm to use when signing or resigning. If not present then the |
|
diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ocsp.pod |
|
--- openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/doc/apps/ocsp.pod 2013-08-16 15:52:20.106933403 +0200 |
|
@@ -29,6 +29,7 @@ B<openssl> B<ocsp> |
|
[B<-path>] |
|
[B<-CApath dir>] |
|
[B<-CAfile file>] |
|
+[B<-trusted_first>] |
|
[B<-VAfile file>] |
|
[B<-validity_period n>] |
|
[B<-status_age n>] |
|
@@ -138,6 +139,13 @@ or "/" by default. |
|
file or pathname containing trusted CA certificates. These are used to verify |
|
the signature on the OCSP response. |
|
|
|
+=item B<-trusted_first> |
|
+ |
|
+Use certificates in CA file or CA directory over certificates provided |
|
+in the response or residing in other certificates file when building the trust |
|
+chain to verify responder certificate. |
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |
|
+ |
|
=item B<-verify_other file> |
|
|
|
file containing additional certificates to search when attempting to locate |
|
diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/apps/s_client.pod |
|
--- openssl-1.0.1e/doc/apps/s_client.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 15:53:17.364194159 +0200 |
|
@@ -17,6 +17,7 @@ B<openssl> B<s_client> |
|
[B<-pass arg>] |
|
[B<-CApath directory>] |
|
[B<-CAfile filename>] |
|
+[B<-trusted_first>] |
|
[B<-reconnect>] |
|
[B<-pause>] |
|
[B<-showcerts>] |
|
@@ -107,7 +108,7 @@ also used when building the client certi |
|
A file containing trusted certificates to use during server authentication |
|
and to use when attempting to build the client certificate chain. |
|
|
|
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> |
|
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> |
|
|
|
Set various certificate chain valiadition option. See the |
|
L<B<verify>|verify(1)> manual page for details. |
|
diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps/smime.pod |
|
--- openssl-1.0.1e/doc/apps/smime.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 15:56:12.497050767 +0200 |
|
@@ -15,6 +15,9 @@ B<openssl> B<smime> |
|
[B<-pk7out>] |
|
[B<-[cipher]>] |
|
[B<-in file>] |
|
+[B<-CAfile file>] |
|
+[B<-CApath dir>] |
|
+[B<-trusted_first>] |
|
[B<-certfile file>] |
|
[B<-signer file>] |
|
[B<-recip file>] |
|
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta |
|
is a hash of each subject name (using B<x509 -hash>) should be linked |
|
to each certificate. |
|
|
|
+=item B<-trusted_first> |
|
+ |
|
+Use certificates in CA file or CA directory over certificates provided |
|
+in the message when building the trust chain to verify a certificate. |
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |
|
+ |
|
=item B<-md digest> |
|
|
|
digest algorithm to use when signing or resigning. If not present then the |
|
diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/apps/s_server.pod |
|
--- openssl-1.0.1e/doc/apps/s_server.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200 |
|
+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 15:54:33.609873214 +0200 |
|
@@ -33,6 +33,7 @@ B<openssl> B<s_server> |
|
[B<-state>] |
|
[B<-CApath directory>] |
|
[B<-CAfile filename>] |
|
+[B<-trusted_first>] |
|
[B<-nocert>] |
|
[B<-cipher cipherlist>] |
|
[B<-quiet>] |
|
@@ -168,6 +169,12 @@ and to use when attempting to build the |
|
is also used in the list of acceptable client CAs passed to the client when |
|
a certificate is requested. |
|
|
|
+=item B<-trusted_first> |
|
+ |
|
+Use certificates in CA file or CA directory before other certificates |
|
+when building the trust chain to verify client certificates. |
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |
|
+ |
|
=item B<-state> |
|
|
|
prints out the SSL session states. |
|
diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/apps/s_time.pod |
|
--- openssl-1.0.1e/doc/apps/s_time.pod.trusted-first 2013-02-11 16:02:48.000000000 +0100 |
|
+++ openssl-1.0.1e/doc/apps/s_time.pod 2013-08-16 15:55:12.651732938 +0200 |
|
@@ -14,6 +14,7 @@ B<openssl> B<s_time> |
|
[B<-key filename>] |
|
[B<-CApath directory>] |
|
[B<-CAfile filename>] |
|
+[B<-trusted_first>] |
|
[B<-reuse>] |
|
[B<-new>] |
|
[B<-verify depth>] |
|
@@ -76,6 +77,12 @@ also used when building the client certi |
|
A file containing trusted certificates to use during server authentication |
|
and to use when attempting to build the client certificate chain. |
|
|
|
+=item B<-trusted_first> |
|
+ |
|
+Use certificates in CA file or CA directory over the certificates provided |
|
+by the server when building the trust chain to verify server certificate. |
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |
|
+ |
|
=item B<-new> |
|
|
|
performs the timing test using a new session ID for each connection. |
|
diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts.pod |
|
--- openssl-1.0.1e/doc/apps/ts.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/doc/apps/ts.pod 2013-08-16 15:57:17.399479957 +0200 |
|
@@ -46,6 +46,7 @@ B<-verify> |
|
[B<-token_in>] |
|
[B<-CApath> trusted_cert_path] |
|
[B<-CAfile> trusted_certs.pem] |
|
+[B<-trusted_first>] |
|
[B<-untrusted> cert_file.pem] |
|
|
|
=head1 DESCRIPTION |
|
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de |
|
or B<-CApath> must be specified. |
|
(Optional) |
|
|
|
+=item B<-trusted_first> |
|
+ |
|
+Use certificates in CA file or CA directory before other certificates |
|
+when building the trust chain to verify certificates. |
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |
|
+ |
|
=item B<-untrusted> cert_file.pem |
|
|
|
Set of additional untrusted certificates in PEM format which may be |
|
diff -up openssl-1.0.1e/doc/apps/verify.pod.trusted-first openssl-1.0.1e/doc/apps/verify.pod |
|
--- openssl-1.0.1e/doc/apps/verify.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100 |
|
+++ openssl-1.0.1e/doc/apps/verify.pod 2013-08-16 15:58:00.267423925 +0200 |
|
@@ -9,6 +9,7 @@ verify - Utility to verify certificates. |
|
B<openssl> B<verify> |
|
[B<-CApath directory>] |
|
[B<-CAfile file>] |
|
+[B<-trusted_first>] |
|
[B<-purpose purpose>] |
|
[B<-policy arg>] |
|
[B<-ignore_critical>] |
|
@@ -56,6 +57,12 @@ in PEM format concatenated together. |
|
A file of untrusted certificates. The file should contain multiple certificates |
|
in PEM format concatenated together. |
|
|
|
+=item B<-trusted_first> |
|
+ |
|
+Use certificates in CA file or CA directory before the certificates in the untrusted |
|
+file when building the trust chain to verify certificates. |
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. |
|
+ |
|
=item B<-purpose purpose> |
|
|
|
The intended use for the certificate. If this option is not specified,
|
|
|