mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-19 00:13:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Deprecate the -issuer_checks debugging option

Browse Source 
This was a developer debugging feature and was never a useful public
interface.

Added all missing X509 error codes to the verify(1) manpage, but
many still need a description beyond the associated text string.

Sorted the errors in x509_txt.c by error number.

Reviewed-by: Stephen Henson <steve@openssl.org>
This commit is contained in:
Viktor Dukhovni 2016-02-09 14:17:13 -05:00
parent 056be06b4d
commit d33def6624
12 changed files with 198 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/apps.h
View File

@ -207,8 +207,7 @@ void wait_for_async(SSL *s);
"check peer certificate matches \"ipaddr\"" }, \
{ "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
"Disable critical extension checking"}, \
{ "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \
"Enable debugging of certificate issuer checks"}, \
{ "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
{ "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
{ "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
{ "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \

2
apps/opt.c
View File

@ -557,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
break;
case OPT_V_ISSUER_CHECKS:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
/* NOP, deprecated */
break;
case OPT_V_CRL_CHECK:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);

27
crypto/x509/x509_txt.c
View File

@ -90,10 +90,10 @@ const char *X509_verify_cert_error_string(long n)
return ("CRL signature failure");
case X509_V_ERR_CERT_NOT_YET_VALID:
return ("certificate is not yet valid");
case X509_V_ERR_CRL_NOT_YET_VALID:
return ("CRL is not yet valid");
case X509_V_ERR_CERT_HAS_EXPIRED:
return ("certificate has expired");
case X509_V_ERR_CRL_NOT_YET_VALID:
return ("CRL is not yet valid");
case X509_V_ERR_CRL_HAS_EXPIRED:
return ("CRL has expired");
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@ -120,23 +120,14 @@ const char *X509_verify_cert_error_string(long n)
return ("certificate revoked");
case X509_V_ERR_INVALID_CA:
return ("invalid CA certificate");
case X509_V_ERR_INVALID_NON_CA:
return ("invalid non-CA certificate (has CA markings)");
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
return ("path length constraint exceeded");
case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
return ("proxy path length constraint exceeded");
case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
return
("proxy certificates not allowed, please set the appropriate flag");
case X509_V_ERR_INVALID_PURPOSE:
return ("unsupported certificate purpose");
case X509_V_ERR_CERT_UNTRUSTED:
return ("certificate not trusted");
case X509_V_ERR_CERT_REJECTED:
return ("certificate rejected");
case X509_V_ERR_APPLICATION_VERIFICATION:
return ("application verification failure");
case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
return ("subject issuer mismatch");
case X509_V_ERR_AKID_SKID_MISMATCH:
@ -151,10 +142,17 @@ const char *X509_verify_cert_error_string(long n)
return ("unhandled critical extension");
case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
return ("key usage does not include CRL signing");
case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
return ("key usage does not include digital signature");
case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
return ("unhandled critical CRL extension");
case X509_V_ERR_INVALID_NON_CA:
return ("invalid non-CA certificate (has CA markings)");
case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
return ("proxy path length constraint exceeded");
case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
return ("key usage does not include digital signature");
case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
return
("proxy certificates not allowed, please set the appropriate flag");
case X509_V_ERR_INVALID_EXTENSION:
return ("invalid or inconsistent certificate extension");
case X509_V_ERR_INVALID_POLICY_EXTENSION:
@ -167,13 +165,14 @@ const char *X509_verify_cert_error_string(long n)
return ("Unsupported extension feature");
case X509_V_ERR_UNNESTED_RESOURCE:
return ("RFC 3779 resource not subset of parent's resources");
case X509_V_ERR_PERMITTED_VIOLATION:
return ("permitted subtree violation");
case X509_V_ERR_EXCLUDED_VIOLATION:
return ("excluded subtree violation");
case X509_V_ERR_SUBTREE_MINMAX:
return ("name constraints minimum and maximum not supported");
case X509_V_ERR_APPLICATION_VERIFICATION:
return ("application verification failure");
case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
return ("unsupported name constraint type");
case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:

11
crypto/x509/x509_vfy.c
View File

@ -318,16 +318,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
}
}
if (ret == X509_V_OK)
return 1;
/* If we haven't asked for issuer errors don't set ctx */
if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
return 0;
ctx->error = ret;
ctx->current_cert = x;
ctx->current_issuer = issuer;
return ctx->verify_cb(0, ctx);
return (ret == X509_V_OK);
}
/* Alternative lookup method: look from a STACK stored in other_ctx */

11
doc/apps/cms.pod
View File

@ -47,7 +47,6 @@ B<openssl> B<cms>
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
@ -472,12 +471,12 @@ then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
L<verify(1)> manual page for details.

11
doc/apps/ocsp.pod
View File

@ -42,7 +42,6 @@ B<openssl> B<ocsp>
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
@ -193,12 +192,12 @@ Do not load the trusted CA certificates from the default file location
Do not load the trusted CA certificates from the default directory location
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
B<-verify_name>, B<-x509_strict>
Set different certificate verification options.
See L<B<verify>|verify(1)> manual page for details.

11
doc/apps/s_client.pod
View File

@ -34,7 +34,6 @@ B<openssl> B<s_client>
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
@ -216,12 +215,12 @@ whitespace is ignored in the associated data field. For example:
...
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
L<verify(1)> manual page for details.

14
doc/apps/s_server.pod
View File

@ -44,7 +44,6 @@ B<openssl> B<s_server>
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
@ -224,12 +223,13 @@ must supply a certificate or an error occurs.
If the ciphersuite cannot request a client certificate (for example an
anonymous ciphersuite or PSK) this option has no effect.
=item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,
B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>,
B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>,
B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict>
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
B<-verify_name>, B<-x509_strict>
Set different peer certificate verification options.
See the L<verify(1)> manual page for details.

11
doc/apps/smime.pod
View File

@ -29,7 +29,6 @@ B<openssl> B<smime>
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
@ -304,12 +303,12 @@ then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
B<-verify_name>, B<-x509_strict>
Set various options of certificate chain verification. See
L<verify(1)> manual page for details.

171
doc/apps/verify.pod
View File

@ -24,7 +24,6 @@ B<openssl> B<verify>
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-issuer_checks>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
@ -49,7 +48,6 @@ B<openssl> B<verify>
[B<->]
[certificates]
=head1 DESCRIPTION
The B<verify> command verifies certificate chains.
@ -148,14 +146,6 @@ Set policy variable inhibit-any-policy (see RFC5280).
Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-issuer_checks>
Print out diagnostics relating to searches for the issuer certificate of the
current certificate. This shows why each candidate issuer certificate was
rejected. The presence of rejection messages does not itself imply that
anything is wrong; during the normal verification process, several
rejections may take place.
=item B<-partial_chain>
Allow verification to succeed even if a I<complete> chain cannot be built to a
@ -386,6 +376,10 @@ as "unused".
the operation was successful.
=item B<1 X509_V_ERR_UNSPECIFIED: unspecified certificate verification error>
unspecified error, should not happen.
=item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
the issuer certificate of a looked up certificate could not be found. This
@ -505,31 +499,158 @@ the root CA is marked to reject the specified purpose.
=item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
the current candidate issuer certificate was rejected because its subject name
did not match the issuer name of the current certificate. Only displayed when
the B<-issuer_checks> option is set.
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
the current candidate issuer certificate was rejected because its subject key
identifier was present and did not match the authority key identifier current
certificate. Only displayed when the B<-issuer_checks> option is set.
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
the current candidate issuer certificate was rejected because its issuer name
and serial number was present and did not match the authority key identifier
of the current certificate. Only displayed when the B<-issuer_checks> option is set.
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN: key usage does not include certificate signing>
the current candidate issuer certificate was rejected because its keyUsage extension
does not permit certificate signing.
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
B<-issuer_checks> option.
=item B<33 X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate>
TBA
=item B<34 X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension>
TBA
=item B<35 X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing>
TBA
=item B<36 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension>
TBA
=item B<37 X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate has CA markings>
TBA
=item B<38 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded>
TBA
=item B<39 X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: key usage does not include digital signature>
TBA
=item B<40 X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: proxy certificates not allowed, please set the appropriate flag>
TBA
=item B<41 X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension>
TBA
=item B<42 X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension>
TBA
=item B<43 X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
TBA
=item B<44 X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
TBA
=item B<45 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
TBA
=item B<46 X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources>
TBA
=item B<47 X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>
TBA
=item B<48 X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
TBA
=item B<49 X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported>
TBA
=item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
an application specific error. Unused.
=item B<51 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type>
TBA
=item B<52 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax>
TBA
=item B<53 X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax>
TBA
=item B<54 X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
TBA
=item B<55 X509_V_ERR_PATH_LOOP: Path Loop>
TBA
=item B<56 X509_V_ERR_SUITE_B_INVALID_VERSION: Suite B: certificate version invalid>
TBA
=item B<57 X509_V_ERR_SUITE_B_INVALID_ALGORITHM: Suite B: invalid public key algorithm>
TBA
=item B<58 X509_V_ERR_SUITE_B_INVALID_CURVE: Suite B: invalid ECC curve>
TBA
=item B<59 X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: Suite B: invalid signature algorithm>
TBA
=item B<60 X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: Suite B: curve not allowed for this LOS>
TBA
=item B<61 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: Suite B: cannot sign P-384 with P-256>
TBA
=item B<62 X509_V_ERR_HOSTNAME_MISMATCH: Hostname mismatch>
TBA
=item B<63 X509_V_ERR_EMAIL_MISMATCH: Email address mismatch>
TBA
=item B<64 X509_V_ERR_IP_ADDRESS_MISMATCH: IP address mismatch>
TBA
=item B<65 X509_V_ERR_DANE_NO_MATCH: No matching DANE TLSA records>
DANE TLSA authentication is enabled, but no TLSA records matched the
certificate chain.
This error is only possible in L<s_client(1)>.
=back
=head1 BUGS
@ -553,6 +674,10 @@ L<x509(1)>
=head1 HISTORY
The -show_chain option was first added to OpenSSL 1.1.0.
The B<-show_chain> option was first added to OpenSSL 1.1.0.
The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
is silently ignored.
=cut

8
doc/crypto/X509_VERIFY_PARAM_set_flags.pod
View File

@ -191,12 +191,6 @@ check the signature anyway. A side effect of not checking the root CA
signature is that disabled or unsupported message digests on the root CA
are not treated as fatal errors.
The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate
issuer checks. It is B<not> needed unless you are logging certificate
verification. If this flag is set then additional status codes will be sent
to the verification callback and it B<must> be prepared to handle such cases
without assuming they are hard errors.
If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain,
L<X509_verify_cert(3)> will search the trust store for issuer certificates before
searching the provided untrusted certificates.
@ -253,5 +247,7 @@ L<X509_check_ip(3)>
=head1 HISTORY
The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0
The legacy B<X509_V_FLAG_CB_ISSUER_CHECK> flag is deprecated as of
OpenSSL 1.1.0, and has no effect.
=cut

14
include/openssl/x509_vfy.h
View File

@ -284,7 +284,6 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
# define X509_V_OK 0
# define X509_V_ERR_UNSPECIFIED 1
# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
# define X509_V_ERR_UNABLE_TO_GET_CRL 3
# define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
@ -317,7 +316,6 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
# define X509_V_ERR_AKID_SKID_MISMATCH 30
# define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
# define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
# define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
# define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
# define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
@ -326,18 +324,17 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
# define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
# define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
# define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
# define X509_V_ERR_INVALID_EXTENSION 41
# define X509_V_ERR_INVALID_POLICY_EXTENSION 42
# define X509_V_ERR_NO_EXPLICIT_POLICY 43
# define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
# define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
# define X509_V_ERR_UNNESTED_RESOURCE 46
# define X509_V_ERR_PERMITTED_VIOLATION 47
# define X509_V_ERR_EXCLUDED_VIOLATION 48
# define X509_V_ERR_SUBTREE_MINMAX 49
/* The application is not happy */
# define X509_V_ERR_APPLICATION_VERIFICATION 50
# define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
# define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
# define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
@ -358,13 +355,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
/* DANE TLSA errors */
# define X509_V_ERR_DANE_NO_MATCH 65
/* The application is not happy */
# define X509_V_ERR_APPLICATION_VERIFICATION 50
/* Certificate verify flags */
/* Send issuer+subject checks to verify_cb */
# define X509_V_FLAG_CB_ISSUER_CHECK 0x1
# if OPENSSL_API_COMPAT < 0x10100000L
# define X509_V_FLAG_CB_ISSUER_CHECK 0x0 /* Deprecated */
# endif
/* Use check time instead of current time */
# define X509_V_FLAG_USE_CHECK_TIME 0x2
/* Lookup CRLs */