[openssl-commits] [openssl] master update

Viktor Dukhovni viktor at openssl.org
Wed Feb 10 17:35:01 UTC 2016


The branch master has been updated
       via  5e136d7abf0945664fa40c7a032abed13fd15c81 (commit)
       via  d33def662443c4b534c6b261a3b01f3960339c78 (commit)
      from  056be06b4dfd7eaf7914febd043e9b446e1ed772 (commit)


- Log -----------------------------------------------------------------
commit 5e136d7abf0945664fa40c7a032abed13fd15c81
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Feb 9 14:18:15 2016 -0500

    Improve recent option help string additions
    
    Make these more correct, concise and less tautological.
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

commit d33def662443c4b534c6b261a3b01f3960339c78
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Tue Feb 9 14:17:13 2016 -0500

    Deprecate the -issuer_checks debugging option
    
    This was a developer debugging feature and was never a useful public
    interface.
    
    Added all missing X509 error codes to the verify(1) manpage, but
    many still need a description beyond the associated text string.
    
    Sorted the errors in x509_txt.c by error number.
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.h                                |  60 +++++-----
 apps/opt.c                                 |   2 +-
 crypto/x509/x509_txt.c                     |  27 +++--
 crypto/x509/x509_vfy.c                     |  11 +-
 doc/apps/cms.pod                           |  11 +-
 doc/apps/ocsp.pod                          |  11 +-
 doc/apps/s_client.pod                      |  11 +-
 doc/apps/s_server.pod                      |  14 +--
 doc/apps/smime.pod                         |  11 +-
 doc/apps/verify.pod                        | 171 +++++++++++++++++++++++++----
 doc/crypto/X509_VERIFY_PARAM_set_flags.pod |   8 +-
 include/openssl/x509_vfy.h                 |  14 +--
 12 files changed, 228 insertions(+), 123 deletions(-)

diff --git a/apps/apps.h b/apps/apps.h
index 3c132e7..8ac7c03 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -194,47 +194,49 @@ void wait_for_async(SSL *s);
 # define OPT_V_OPTIONS \
         { "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
         { "purpose", OPT_V_PURPOSE, 's', \
-            "Set the acceptable purpose of the certificate chain"}, \
-        { "verify_name", OPT_V_VERIFY_NAME, 's', "verify name"}, \
+            "certificate chain purpose"}, \
+        { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
         { "verify_depth", OPT_V_VERIFY_DEPTH, 'p', \
-            "Limit the maximum depth of the certificate chain"}, \
-        { "attime", OPT_V_ATTIME, 'M', "Set the verification time" }, \
+            "chain depth limit"}, \
+        { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
         { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
-            "check peer certificate matches \"host\"" }, \
+            "expected peer hostname" }, \
         { "verify_email", OPT_V_VERIFY_EMAIL, 's', \
-            "check peer certificate matches \"email\"" }, \
+            "expected peer email" }, \
         { "verify_ip", OPT_V_VERIFY_IP, 's', \
-            "check peer certificate matches \"ipaddr\"" }, \
+            "expected peer IP address" }, \
         { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
-            "Disable critical extension checking"}, \
-        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \
-            "Enable debugging of certificate issuer checks"}, \
-        { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
-        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
-        { "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \
-        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', "Set the \"require explicit policy\""}, \
-        { "inhibit_any", OPT_V_INHIBIT_ANY, '-', "Set the \"inhibit any policy\"\""}, \
-        { "inhibit_map", OPT_V_INHIBIT_MAP, '-', "Set the \"inhibit policy mapping\"" }, \
+            "permit unhandled critical extensions"}, \
+        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
+        { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
+        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
+        { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"}, \
+        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
+            "set policy variable require-explicit-policy"}, \
+        { "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
+            "set policy variable inihibit-any-policy"}, \
+        { "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
+            "set policy variable inihibit-policy-mapping"}, \
         { "x509_strict", OPT_V_X509_STRICT, '-', \
-            "Strictly apply X509 rules in verification"}, \
+            "disable certificate compatibility work-arounds"}, \
         { "extended_crl", OPT_V_EXTENDED_CRL, '-', \
-       	    "Enable extended CRL features such as indirect CRLs, alternate CRL signing keys"}, \
+            "enable extended CRL features"}, \
         { "use_deltas", OPT_V_USE_DELTAS, '-', \
-            "Enable indirect CRLs and CRLs signed by different keys"}, \
-        { "policy_print", OPT_V_POLICY_PRINT, '-', "Notify callback that policy is OK"}, \
+            "use delta CRLs"}, \
+        { "policy_print", OPT_V_POLICY_PRINT, '-', \
+            "print policy processing diagnostics"}, \
         { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
-            "Enable checking of the root CA self signed certificate signature"}, \
+            "check root CA self-signatures"}, \
         { "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
-            "Use locally-trusted CA's first in building chain (enabled by default)" }, \
-        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128 bit only mode"}, \
+            "search trust store first (default)" }, \
+        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"}, \
         { "suiteB_128", OPT_V_SUITEB_128, '-', \
-            "Suite B 128 bit mode allowing 192 bit algorithms"}, \
-        { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192 bit only mode" }, \
+            "Suite B 128-bit mode allowing 192-bit algorithms"}, \
+        { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
         { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
-       	    "verification succeeds even if a complete chain cannot be built, "}, \
-        {OPT_MORE_STR, 0, 0, "provided a chain to a trusted certificate can be constructed"}, \
-        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
-        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
+            "accept chains anchored by intermediate trust-store CAs"}, \
+        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }
 
 # define OPT_V_CASES \
         OPT_V__FIRST: case OPT_V__LAST: break; \
diff --git a/apps/opt.c b/apps/opt.c
index 49db5b6..3525b96 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -557,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
         break;
     case OPT_V_ISSUER_CHECKS:
-        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
+        /* NOP, deprecated */
         break;
     case OPT_V_CRL_CHECK:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 884c3af..f7f27e9 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -90,10 +90,10 @@ const char *X509_verify_cert_error_string(long n)
         return ("CRL signature failure");
     case X509_V_ERR_CERT_NOT_YET_VALID:
         return ("certificate is not yet valid");
-    case X509_V_ERR_CRL_NOT_YET_VALID:
-        return ("CRL is not yet valid");
     case X509_V_ERR_CERT_HAS_EXPIRED:
         return ("certificate has expired");
+    case X509_V_ERR_CRL_NOT_YET_VALID:
+        return ("CRL is not yet valid");
     case X509_V_ERR_CRL_HAS_EXPIRED:
         return ("CRL has expired");
     case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -120,23 +120,14 @@ const char *X509_verify_cert_error_string(long n)
         return ("certificate revoked");
     case X509_V_ERR_INVALID_CA:
         return ("invalid CA certificate");
-    case X509_V_ERR_INVALID_NON_CA:
-        return ("invalid non-CA certificate (has CA markings)");
     case X509_V_ERR_PATH_LENGTH_EXCEEDED:
         return ("path length constraint exceeded");
-    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
-        return ("proxy path length constraint exceeded");
-    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
-        return
-            ("proxy certificates not allowed, please set the appropriate flag");
     case X509_V_ERR_INVALID_PURPOSE:
         return ("unsupported certificate purpose");
     case X509_V_ERR_CERT_UNTRUSTED:
         return ("certificate not trusted");
     case X509_V_ERR_CERT_REJECTED:
         return ("certificate rejected");
-    case X509_V_ERR_APPLICATION_VERIFICATION:
-        return ("application verification failure");
     case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
         return ("subject issuer mismatch");
     case X509_V_ERR_AKID_SKID_MISMATCH:
@@ -151,10 +142,17 @@ const char *X509_verify_cert_error_string(long n)
         return ("unhandled critical extension");
     case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
         return ("key usage does not include CRL signing");
-    case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
-        return ("key usage does not include digital signature");
     case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
         return ("unhandled critical CRL extension");
+    case X509_V_ERR_INVALID_NON_CA:
+        return ("invalid non-CA certificate (has CA markings)");
+    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+        return ("proxy path length constraint exceeded");
+    case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+        return ("key usage does not include digital signature");
+    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+        return
+            ("proxy certificates not allowed, please set the appropriate flag");
     case X509_V_ERR_INVALID_EXTENSION:
         return ("invalid or inconsistent certificate extension");
     case X509_V_ERR_INVALID_POLICY_EXTENSION:
@@ -167,13 +165,14 @@ const char *X509_verify_cert_error_string(long n)
         return ("Unsupported extension feature");
     case X509_V_ERR_UNNESTED_RESOURCE:
         return ("RFC 3779 resource not subset of parent's resources");
-
     case X509_V_ERR_PERMITTED_VIOLATION:
         return ("permitted subtree violation");
     case X509_V_ERR_EXCLUDED_VIOLATION:
         return ("excluded subtree violation");
     case X509_V_ERR_SUBTREE_MINMAX:
         return ("name constraints minimum and maximum not supported");
+    case X509_V_ERR_APPLICATION_VERIFICATION:
+        return ("application verification failure");
     case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
         return ("unsupported name constraint type");
     case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f8b9b50..ae07f37 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -318,16 +318,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
         }
     }
 
-    if (ret == X509_V_OK)
-        return 1;
-    /* If we haven't asked for issuer errors don't set ctx */
-    if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
-        return 0;
-
-    ctx->error = ret;
-    ctx->current_cert = x;
-    ctx->current_issuer = issuer;
-    return ctx->verify_cb(0, ctx);
+    return (ret == X509_V_OK);
 }
 
 /* Alternative lookup method: look from a STACK stored in other_ctx */
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index da91c7f..7470fae 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -47,7 +47,6 @@ B<openssl> B<cms>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
-[B<-issuer_checks>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
@@ -472,12 +471,12 @@ then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
 
 Set various certificate chain validation options. See the
 L<verify(1)> manual page for details.
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 30d133f..1ecd928 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -42,7 +42,6 @@ B<openssl> B<ocsp>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
-[B<-issuer_checks>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
@@ -193,12 +192,12 @@ Do not load the trusted CA certificates from the default file location
 Do not load the trusted CA certificates from the default directory location
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
 
 Set different certificate verification options.
 See L<B<verify>|verify(1)> manual page for details.
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 394c649..c5fe647 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -34,7 +34,6 @@ B<openssl> B<s_client>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
-[B<-issuer_checks>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
@@ -216,12 +215,12 @@ whitespace is ignored in the associated data field.  For example:
   ...
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
 
 Set various certificate chain validation options. See the
 L<verify(1)> manual page for details.
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index ffccdce..890a8ea 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -44,7 +44,6 @@ B<openssl> B<s_server>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
-[B<-issuer_checks>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
@@ -224,12 +223,13 @@ must supply a certificate or an error occurs.
 If the ciphersuite cannot request a client certificate (for example an
 anonymous ciphersuite or PSK) this option has no effect.
 
-=item B<-attime>, B<-check_ss_sig>, B<explicit_policy>, B<-extended_crl>,
-B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>,
-B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>,
-B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>,
-B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>,
-B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
+B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
 
 Set different peer certificate verification options.
 See the L<verify(1)> manual page for details.
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index 0f4d385..62f1417 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -29,7 +29,6 @@ B<openssl> B<smime>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
-[B<-issuer_checks>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
@@ -304,12 +303,12 @@ then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
 =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
 B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
-B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
-B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
-B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, B<-x509_strict>
 
 Set various options of certificate chain verification. See
 L<verify(1)> manual page for details.
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index cd87b84..ac17a33 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -24,7 +24,6 @@ B<openssl> B<verify>
 [B<-ignore_critical>]
 [B<-inhibit_any>]
 [B<-inhibit_map>]
-[B<-issuer_checks>]
 [B<-partial_chain>]
 [B<-policy arg>]
 [B<-policy_check>]
@@ -49,7 +48,6 @@ B<openssl> B<verify>
 [B<->]
 [certificates]
 
-
 =head1 DESCRIPTION
 
 The B<verify> command verifies certificate chains.
@@ -148,14 +146,6 @@ Set policy variable inhibit-any-policy (see RFC5280).
 
 Set policy variable inhibit-policy-mapping (see RFC5280).
 
-=item B<-issuer_checks>
-
-Print out diagnostics relating to searches for the issuer certificate of the
-current certificate. This shows why each candidate issuer certificate was
-rejected. The presence of rejection messages does not itself imply that
-anything is wrong; during the normal verification process, several
-rejections may take place.
-
 =item B<-partial_chain>
 
 Allow verification to succeed even if a I<complete> chain cannot be built to a
@@ -386,6 +376,10 @@ as "unused".
 
 the operation was successful.
 
+=item B<1 X509_V_ERR_UNSPECIFIED: unspecified certificate verification error>
+
+unspecified error, should not happen.
+
 =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
 
 the issuer certificate of a looked up certificate could not be found. This
@@ -505,31 +499,158 @@ the root CA is marked to reject the specified purpose.
 
 =item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
 
-the current candidate issuer certificate was rejected because its subject name
-did not match the issuer name of the current certificate. Only displayed when
-the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
 
 =item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
 
-the current candidate issuer certificate was rejected because its subject key
-identifier was present and did not match the authority key identifier current
-certificate. Only displayed when the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
 
 =item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
 
-the current candidate issuer certificate was rejected because its issuer name
-and serial number was present and did not match the authority key identifier
-of the current certificate. Only displayed when the B<-issuer_checks> option is set.
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
+
+=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN: key usage does not include certificate signing>
+
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+B<-issuer_checks> option.
+
+=item B<33 X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate>
+
+TBA
+
+=item B<34 X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension>
+
+TBA
+
+=item B<35 X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing>
+
+TBA
+
+=item B<36 X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension>
+
+TBA
+
+=item B<37 X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate has CA markings>
+
+TBA
+
+=item B<38 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded>
+
+TBA
+
+=item B<39 X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: key usage does not include digital signature>
+
+TBA
+
+=item B<40 X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: proxy certificates not allowed, please set the appropriate flag>
+
+TBA
+
+=item B<41 X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension>
+
+TBA
+
+=item B<42 X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension>
+
+TBA
+
+=item B<43 X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
+
+TBA
+
+=item B<44 X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
+
+TBA
+
+=item B<45 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
+
+TBA
+
+=item B<46 X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources>
+
+TBA
+
+=item B<47 X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>
 
-=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
+TBA
 
-the current candidate issuer certificate was rejected because its keyUsage extension
-does not permit certificate signing.
+=item B<48 X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
+
+TBA
+
+=item B<49 X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported>
+
+TBA
 
 =item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
 
 an application specific error. Unused.
 
+=item B<51 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type>
+
+TBA
+
+=item B<52 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax>
+
+TBA
+
+=item B<53 X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax>
+
+TBA
+
+=item B<54 X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
+
+TBA
+
+=item B<55 X509_V_ERR_PATH_LOOP: Path Loop>
+
+TBA
+
+=item B<56 X509_V_ERR_SUITE_B_INVALID_VERSION: Suite B: certificate version invalid>
+
+TBA
+
+=item B<57 X509_V_ERR_SUITE_B_INVALID_ALGORITHM: Suite B: invalid public key algorithm>
+
+TBA
+
+=item B<58 X509_V_ERR_SUITE_B_INVALID_CURVE: Suite B: invalid ECC curve>
+
+TBA
+
+=item B<59 X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM: Suite B: invalid signature algorithm>
+
+TBA
+
+=item B<60 X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED: Suite B: curve not allowed for this LOS>
+
+TBA
+
+=item B<61 X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256: Suite B: cannot sign P-384 with P-256>
+
+TBA
+
+=item B<62 X509_V_ERR_HOSTNAME_MISMATCH: Hostname mismatch>
+
+TBA
+
+=item B<63 X509_V_ERR_EMAIL_MISMATCH: Email address mismatch>
+
+TBA
+
+=item B<64 X509_V_ERR_IP_ADDRESS_MISMATCH: IP address mismatch>
+
+TBA
+
+=item B<65 X509_V_ERR_DANE_NO_MATCH: No matching DANE TLSA records>
+
+DANE TLSA authentication is enabled, but no TLSA records matched the
+certificate chain.
+This error is only possible in L<s_client(1)>.
+
 =back
 
 =head1 BUGS
@@ -553,6 +674,10 @@ L<x509(1)>
 
 =head1 HISTORY
 
-The -show_chain option was first added to OpenSSL 1.1.0.
+The B<-show_chain> option was first added to OpenSSL 1.1.0.
+
+The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
+is silently ignored.
 
 =cut
+
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 53a063a..6fb33ed 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -191,12 +191,6 @@ check the signature anyway. A side effect of not checking the root CA
 signature is that disabled or unsupported message digests on the root CA
 are not treated as fatal errors.
 
-The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate
-issuer checks. It is B<not> needed unless you are logging certificate
-verification. If this flag is set then additional status codes will be sent
-to the verification callback and it B<must> be prepared to handle such cases
-without assuming they are hard errors.
-
 If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain,
 L<X509_verify_cert(3)> will search the trust store for issuer certificates before
 searching the provided untrusted certificates.
@@ -253,5 +247,7 @@ L<X509_check_ip(3)>
 =head1 HISTORY
 
 The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0
+The legacy B<X509_V_FLAG_CB_ISSUER_CHECK> flag is deprecated as of
+OpenSSL 1.1.0, and has no effect.
 
 =cut
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 2ed1e4c..f2bd073 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -284,7 +284,6 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 
 # define         X509_V_OK                                       0
 # define         X509_V_ERR_UNSPECIFIED                          1
-
 # define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
 # define         X509_V_ERR_UNABLE_TO_GET_CRL                    3
 # define         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE     4
@@ -317,7 +316,6 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_AKID_SKID_MISMATCH                   30
 # define         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
 # define         X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32
-
 # define         X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER             33
 # define         X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
 # define         X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35
@@ -326,18 +324,17 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED           38
 # define         X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE        39
 # define         X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED       40
-
 # define         X509_V_ERR_INVALID_EXTENSION                    41
 # define         X509_V_ERR_INVALID_POLICY_EXTENSION             42
 # define         X509_V_ERR_NO_EXPLICIT_POLICY                   43
 # define         X509_V_ERR_DIFFERENT_CRL_SCOPE                  44
 # define         X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE        45
-
 # define         X509_V_ERR_UNNESTED_RESOURCE                    46
-
 # define         X509_V_ERR_PERMITTED_VIOLATION                  47
 # define         X509_V_ERR_EXCLUDED_VIOLATION                   48
 # define         X509_V_ERR_SUBTREE_MINMAX                       49
+/* The application is not happy */
+# define         X509_V_ERR_APPLICATION_VERIFICATION             50
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE          51
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX        52
 # define         X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
@@ -358,13 +355,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 /* DANE TLSA errors */
 # define         X509_V_ERR_DANE_NO_MATCH                        65
 
-/* The application is not happy */
-# define         X509_V_ERR_APPLICATION_VERIFICATION             50
 
 /* Certificate verify flags */
 
-/* Send issuer+subject checks to verify_cb */
-# define X509_V_FLAG_CB_ISSUER_CHECK             0x1
+# if OPENSSL_API_COMPAT < 0x10100000L
+#  define X509_V_FLAG_CB_ISSUER_CHECK             0x0   /* Deprecated */
+# endif
 /* Use check time instead of current time */
 # define X509_V_FLAG_USE_CHECK_TIME              0x2
 /* Lookup CRLs */


More information about the openssl-commits mailing list