diff options
author | Richard Levitte <levitte@openssl.org> | 2004-11-29 11:28:08 +0000 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2004-11-29 11:28:08 +0000 |
commit | 30b415b0765b465e71262d051b7b16b604a855be (patch) | |
tree | ea4d4e61013d94f9bcd05ee521efc71e67eda6b3 /apps/verify.c | |
parent | 914c2a28c05797dc44fb3f498e6e12e5bc0db2b3 (diff) | |
download | openssl-new-30b415b0765b465e71262d051b7b16b604a855be.tar.gz |
Make an explicit check during certificate validation to see that the
CA setting in each certificate on the chain is correct. As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
given)
Diffstat (limited to 'apps/verify.c')
-rw-r--r-- | apps/verify.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/apps/verify.c b/apps/verify.c index f7c85b8dd6..9ff32cb068 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -348,6 +348,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; /* Continue after extension errors too */ if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; + if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1; if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; |