[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Tue Jul 14 11:46:41 UTC 2015 

The branch master has been updated
       via  5b89036c41a009a76cd0e1595dde5001ae157972 (commit)
      from  e5c0bc6cc49a23b50a272801c4bd53639c25fca4 (commit)


- Log -----------------------------------------------------------------
commit 5b89036c41a009a76cd0e1595dde5001ae157972
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Jul 9 14:54:13 2015 -0400

    Can't use -trusted with -CA{path,file}
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/verify.c       |  8 +++++++-
 doc/apps/verify.pod | 12 ++++++++----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/apps/verify.c b/apps/verify.c
index a823d58..7fcd32a 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -88,7 +88,7 @@ OPTIONS verify_options[] = {
     {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"},
     {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"},
     {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"},
-    {"trusted", OPT_TRUSTED, '<', "A file of additional trusted certificates"},
+    {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"},
     {"CRLfile", OPT_CRLFILE, '<',
         "File containing one or more CRL's (in PEM format) to load"},
     {"crl_download", OPT_CRL_DOWNLOAD, '-',
@@ -180,6 +180,12 @@ int verify_main(int argc, char **argv)
     }
     argc = opt_num_rest();
     argv = opt_rest();
+    if (trustfile && (CAfile || CApath)) {
+        BIO_printf(bio_err,
+                   "%s: Cannot use -trusted with -CAfile or -CApath\n",
+                   prog);
+        goto end;
+    }
 
     if (!app_load_modules(NULL))
         goto end;
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 9cc7fcb..b1253da 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -182,13 +182,17 @@ behaviour to match that of OpenSSL versions prior to 1.1.0.
 
 =item B<-untrusted file>
 
-A file of untrusted certificates. The file should contain multiple certificates
-in PEM format concatenated together.
+A file of untrusted certificates. The file should contain one or more
+certificates in PEM format.
 
 =item B<-trusted file>
 
-A file of additional trusted certificates. The file should contain multiple
-certificates in PEM format concatenated together.
+A file of trusted certificates. The file contain one or more
+certificates in PEM format.
+With this option, no additional (e.g., default) certificate lists
+are consulted. That is, the only trusted issuers are those listed
+in B<file>.
+This option cannot be used with the B<-CAfile> or B<-CApath> options.
 
 =item B<-use_deltas>

More information about the openssl-commits mailing list