[openssl-users] [PATCH] apps: when -purpose is passed, set matching trust param

[Adam Williamson]

All the necessary bits are in place to make this possible,
they just never got wired up. With this, for instance, when
you use the 'verify' sub-command to verify a certificate
chain with '-purpose sslserver', error 28 will occur if the
root cert is not trusted for X509_TRUST_SSL_SERVER. This
matches the behaviour of actual SSL client code (e.g.
's_client') more closely.

This is a follow-up to my last couple of mails where I worked
all this stuff out; it turns out it's actually (seemingly)
pretty trivial to go ahead and hook up the appropriate trust
param when -purpose is passed. I tested this in the setup
described in my earlier emails; verify functions as expected
in that case.
---
 apps/apps.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/apps.c b/apps/apps.c
index ac709a6..58a1b87 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2383,7 +2383,7 @@ int args_verify(char ***pargs, int *pargc,
 	ASN1_OBJECT *otmp = NULL;
 	unsigned long flags = 0;
 	int i;
-	int purpose = 0, depth = -1;
+	int purpose = 0, trust = 0, depth = -1;
 	char **oldargs = *pargs;
 	char *arg = **pargs, *argn = (*pargs)[1];
 	const X509_VERIFY_PARAM *vpm = NULL;
@@ -2424,6 +2424,7 @@ int args_verify(char ***pargs, int *pargc,
 				{
 				xptmp = X509_PURPOSE_get0(i);
 				purpose = X509_PURPOSE_get_id(xptmp);
+				trust = X509_PURPOSE_get_trust(xptmp);
 				}
 			}
 		(*pargs)++;
@@ -2564,6 +2565,9 @@ int args_verify(char ***pargs, int *pargc,
 	if (purpose)
 		X509_VERIFY_PARAM_set_purpose(*pm, purpose);
 
+	if (trust)
+		X509_VERIFY_PARAM_set_trust(*pm, trust);
+
 	if (depth >= 0)
 		X509_VERIFY_PARAM_set_depth(*pm, depth);
 
-- 
2.2.1