APPS: make sure the -CAfile argument can be in DER format

Note that PKCS#12 input is still not supported here-

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18917)

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 69bf5b4e37b0d54f30b6bc9593bf24906041ebdd..6f9bf4a6c8440edb1c2e72b1f49d42b9caf71b4d 100644 (file)
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -1379,8 +1379,12 @@ X509_STORE *setup_verify(const char *CAfile, int noCAfile,
         if (CAfile != NULL) {
             if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_PEM,
                                          libctx, propq) <= 0) {
-                BIO_printf(bio_err, "Error loading file %s\n", CAfile);
-                goto end;
+                ERR_clear_error();
+                if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_ASN1,
+                                             libctx, propq) <= 0) {
+                    BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+                    goto end;
+                }
             }
         } else {
             X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT,

diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod
index 57b29dc5837fe05bebf4d047c2165e80e826ed18..2a3fe8849a8166c8478a61762c09d9d249d5c4f8 100644 (file)
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@@ -202,8 +202,8 @@ can be specified using following options.
 
 =item B<-CAfile> I<file>
 
-Load the specified file which contains a certificate
-or several of them in case the input is in PEM or PKCS#12 format.
+Load the specified file which contains a trusted certificate in DER format
+or potentially several of them in case the input is in PEM format.
 PEM-encoded certificates may also have trust attributes set.
 
 =item B<-no-CAfile>