Make it possible to check for explicit auxiliary trust

By default X509_check_trust() trusts self-signed certificates from the trust store that have no explicit local trust/reject oids encapsulated as a "TRUSTED CERTIFICATE" object. (See the -addtrust and -trustout options of x509(1)). This commit adds a flag that makes it possible to distinguish between that implicit trust, and explicit auxiliary settings. With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted via explicit trust settings. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2024-12-17 22:13:45 +08:00 · 2016-01-27 22:43:23 -05:00 · 2016-01-27 22:43:23 -05:00 · aea6116146
commit aea6116146
parent d8ca44ba41
2 changed files with 4 additions and 3 deletions
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@ -285,7 +285,7 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
 {
    /* Call for side-effect of computing hash and caching extensions */
    X509_check_purpose(x, -1, 0);
-    if (x->ex_flags & EXFLAG_SS)
+    if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS)
        return X509_TRUST_TRUSTED;
    else
        return X509_TRUST_UNTRUSTED;
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@ -199,8 +199,9 @@ DEFINE_STACK_OF(X509_TRUST)
 # define X509_TRUST_MAX          8

 /* trust_flags values */
-# define X509_TRUST_DYNAMIC      1
-# define X509_TRUST_DYNAMIC_NAME 2
+# define X509_TRUST_DYNAMIC      (1U << 0)
+# define X509_TRUST_DYNAMIC_NAME (1U << 1)
+# define X509_TRUST_NO_SS_COMPAT (1U << 2)

 /* check_trust return codes */