generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Check chain extensions also for trusted certificates

Browse Source 
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).

Added tests and updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This commit is contained in:
Viktor Dukhovni
2016-01-28 03:01:45 -05:00
parent 1b4cf96f9b
commit 0daccd4dc1
15 changed files with 315 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
doc/apps/x509.pod
View File

@@ -289,9 +289,12 @@ clears all the prohibited or rejected uses of the certificate.
=item B<-addtrust arg>
adds a trusted certificate use. Any object name can be used here
but currently only B<clientAuth> (SSL client use), B<serverAuth>
(SSL server use) and B<emailProtection> (S/MIME email) are used.
adds a trusted certificate use.
Any object name can be used here but currently only B<clientAuth> (SSL client
use), B<serverAuth> (SSL server use), B<emailProtection> (S/MIME email) and
B<anyExtendedKeyUsage> are used.
As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
enables all purposes when trusted.
Other OpenSSL applications may define additional uses.
=item B<-addreject arg>