New verify flag to return success if we have any certificate in the trusted

store instead of the default which is to return an error if we can't build the complete chain. [backport from HEAD]
2012-12-14 14:30:46 +00:00 · 2012-12-14 14:30:46 +00:00 · 9a1f59cd31
commit 9a1f59cd31
parent 4e72220fd6
3 changed files with 13 additions and 0 deletions
--- a/apps/apps.c
+++ b/apps/apps.c
@ -2363,6 +2363,8 @@ int args_verify(char ***pargs, int *pargc,
 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
 	else if (!strcmp(arg, "-trusted_first"))
 		flags |= X509_V_FLAG_TRUSTED_FIRST;
+	else if (!strcmp(arg, "-partial_chain"))
+		flags |= X509_V_FLAG_PARTIAL_CHAIN;
 	else
 		return 0;

--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -682,6 +682,15 @@ static int check_trust(X509_STORE_CTX *ctx)
 				return X509_TRUST_REJECTED;
 			}
 		}
+	/* If we accept partial chains and have at least one trusted
+	 * certificate return success.
+	 */
+	if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
+		{
+		if (ctx->last_untrusted < sk_X509_num(ctx->chain))
+			return X509_TRUST_TRUSTED;
+		}
+
 	/* If no trusted certs in chain at all return untrusted and
 	 * allow standard (no issuer cert) etc errors to be indicated.
 	 */
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@ -392,6 +392,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 /* Use trusted store first */
 #define X509_V_FLAG_TRUSTED_FIRST		0x8000

+/* Allow partial chains if at least one certificate is in trusted store */
+#define X509_V_FLAG_PARTIAL_CHAIN		0x80000

 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2