diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-16 01:15:02 -0500 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-20 19:04:33 -0500 |
| commit | feb2f53edc7e9b96cfe9c0ab611461edabdd2b34 (patch) | |
| tree | 4a46e701fa35f54f21d45631d7cbae55bd1f6caa /apps/verify.c | |
| parent | 0996dc5440cc233f029129182bbb6e3d4613045a (diff) | |
| download | openssl-new-feb2f53edc7e9b96cfe9c0ab611461edabdd2b34.tar.gz | |
Multiple -trusted/-untrusted/-CRLfile options in verify
It is sometimes useful (especially in automated tests) to supply
multiple trusted or untrusted certificates via separate files rather
than have to prepare a single file containing them all.
To that end, change verify(1) to accept these options zero or more
times. Also automatically set -no-CAfile and -no-CApath when
-trusted is specified.
Improve verify(1) documentation, which could still use some work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'apps/verify.c')
| -rw-r--r-- | apps/verify.c | 38 |
1 files changed, 16 insertions, 22 deletions
diff --git a/apps/verify.c b/apps/verify.c index 183579c06d..158504464b 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -115,7 +115,6 @@ int verify_main(int argc, char **argv) X509_VERIFY_PARAM *vpm = NULL; char *prog, *CApath = NULL, *CAfile = NULL; int noCApath = 0, noCAfile = 0; - char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1; OPTION_CHOICE o; @@ -167,13 +166,24 @@ int verify_main(int argc, char **argv) noCAfile = 1; break; case OPT_UNTRUSTED: - untfile = opt_arg(); + /* Zero or more times */ + if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL, e, + "untrusted certificates")) + goto end; break; case OPT_TRUSTED: - trustfile = opt_arg(); + /* Zero or more times */ + noCAfile = 1; + noCApath = 1; + if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL, e, + "trusted certificates")) + goto end; break; case OPT_CRLFILE: - crlfile = opt_arg(); + /* Zero or more times */ + if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL, e, + "other CRLs")) + goto end; break; case OPT_CRL_DOWNLOAD: crl_download = 1; @@ -182,6 +192,7 @@ int verify_main(int argc, char **argv) show_chain = 1; break; case OPT_ENGINE: + /* Specify *before* -trusted/-untrusted/-CRLfile */ e = setup_engine(opt_arg(), 0); break; case OPT_VERBOSE: @@ -191,7 +202,7 @@ int verify_main(int argc, char **argv) } argc = opt_num_rest(); argv = opt_rest(); - if (trustfile && (CAfile || CApath)) { + if (trusted != NULL && (CAfile || CApath)) { BIO_printf(bio_err, "%s: Cannot use -trusted with -CAfile or -CApath\n", prog); @@ -207,23 +218,6 @@ int verify_main(int argc, char **argv) ERR_clear_error(); - if (untfile) { - if (!load_certs(untfile, &untrusted, FORMAT_PEM, NULL, e, - "untrusted certificates")) - goto end; - } - - if (trustfile) { - if (!load_certs(trustfile, &trusted, FORMAT_PEM, NULL, e, - "trusted certificates")) - goto end; - } - - if (crlfile) { - if (!load_crls(crlfile, &crls, FORMAT_PEM, NULL, e, "other CRLs")) - goto end; - } - if (crl_download) store_setup_crl_download(store); |