From: Dr. David von Oheimb Date: Thu, 3 Dec 2020 11:00:35 +0000 (+0100) Subject: apps/verify:c: Enable output of multiple verification errors due to -x509_strict X-Git-Tag: openssl-3.0.0-alpha10~170 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f974b610775443278e5634c285521e82c2e37752;p=thirdparty%2Fopenssl.git apps/verify:c: Enable output of multiple verification errors due to -x509_strict Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13606) --- diff --git a/apps/verify.c b/apps/verify.c index 9a226f03609..ba4a8c283de 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -356,13 +356,28 @@ static int cb(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_INVALID_CA: case X509_V_ERR_INVALID_NON_CA: case X509_V_ERR_PATH_LENGTH_EXCEEDED: - case X509_V_ERR_INVALID_PURPOSE: case X509_V_ERR_CRL_HAS_EXPIRED: case X509_V_ERR_CRL_NOT_YET_VALID: case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: + /* errors due to strict conformance checking (-x509_strict) */ + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA: + case X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN: + case X509_V_ERR_CA_BCONS_NOT_CRITICAL: + case X509_V_ERR_CA_CERT_MISSING_KEY_USAGE: + case X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA: + case X509_V_ERR_ISSUER_NAME_EMPTY: + case X509_V_ERR_SUBJECT_NAME_EMPTY: + case X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL: + case X509_V_ERR_EMPTY_SUBJECT_ALT_NAME: + case X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: + case X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL: + case X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL: + case X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER: + case X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER: + case X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3: ok = 1; } - return ok; }