APPS: make sure the -CAfile argument can be in DER format

Note that PKCS#12 input is still not supported here- Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18917)
2025-01-12 13:36:28 +08:00 · 2022-07-29 11:31:39 +02:00 · 2022-07-29 11:31:39 +02:00 · 57c0205b4d
commit 57c0205b4d
parent 2786160731
2 changed files with 8 additions and 4 deletions
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@ -1379,8 +1379,12 @@ X509_STORE *setup_verify(const char *CAfile, int noCAfile,
        if (CAfile != NULL) {
            if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_PEM,
                                         libctx, propq) <= 0) {
-                BIO_printf(bio_err, "Error loading file %s\n", CAfile);
-                goto end;
+                ERR_clear_error();
+                if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_ASN1,
+                                             libctx, propq) <= 0) {
+                    BIO_printf(bio_err, "Error loading file %s\n", CAfile);
+                    goto end;
+                }
            }
        } else {
            X509_LOOKUP_load_file_ex(lookup, NULL, X509_FILETYPE_DEFAULT,
--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@ -202,8 +202,8 @@ can be specified using following options.

 =item B<-CAfile> I<file>

-Load the specified file which contains a certificate
-or several of them in case the input is in PEM or PKCS#12 format.
+Load the specified file which contains a trusted certificate in DER format
+or potentially several of them in case the input is in PEM format.
 PEM-encoded certificates may also have trust attributes set.

 =item B<-no-CAfile>