Allow proxy certs to be present when verifying a chain

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>

apps/apps.h

@@ -85,7 +85,7 @@ int has_stdin_waiting(void);
         OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
         OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
         OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
-        OPT_V_VERIFY_AUTH_LEVEL, \
+        OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
         OPT_V__LAST
 
 # define OPT_V_OPTIONS \
@@ -135,7 +135,8 @@ int has_stdin_waiting(void);
         { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
             "accept chains anchored by intermediate trust-store CAs"}, \
         { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
-        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \
+        { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" }
 
 # define OPT_V_CASES \
         OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -167,7 +168,8 @@ int has_stdin_waiting(void);
         case OPT_V_SUITEB_192: \
         case OPT_V_PARTIAL_CHAIN: \
         case OPT_V_NO_ALT_CHAINS: \
-        case OPT_V_NO_CHECK_TIME
+        case OPT_V_NO_CHECK_TIME: \
+        case OPT_V_ALLOW_PROXY_CERTS
 
 /*
  * Common "extended"? options.

apps/opt.c

@@ -580,6 +580,9 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
     case OPT_V_NO_CHECK_TIME:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
         break;
+    case OPT_V_ALLOW_PROXY_CERTS:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_ALLOW_PROXY_CERTS);
+        break;
     }
     return 1;
 

apps/verify.c

@@ -214,6 +214,7 @@ static int check(X509_STORE *ctx, char *file,
                (file == NULL) ? "stdin" : file);
         goto end;
     }
+
     X509_STORE_set_flags(ctx, vflags);
     if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
         printf("error %s: X.509 store context initialization failed\n",

doc/apps/verify.pod

@@ -12,6 +12,7 @@ B<openssl> B<verify>
 [B<-CApath directory>]
 [B<-no-CAfile>]
 [B<-no-CApath>]
+[B<-allow_proxy_certs>]
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-CRLfile file>]
@@ -83,6 +84,10 @@ Do not load the trusted CA certificates from the default file location
 
 Do not load the trusted CA certificates from the default directory location
 
+=item B<-allow_proxy_certs>
+
+Allow the verification of proxy certificates
+
 =item B<-attime timestamp>
 
 Perform validation checks using time specified by B<timestamp> and not
@@ -564,13 +569,18 @@ Invalid non-CA certificate has CA markings.
 
 Proxy path length constraint exceeded.
 
+=item B<X509_V_ERR_PROXY_SUBJECT_INVALID>
+
+Proxy certificate subject is invalid.  It MUST be the same as the issuer
+with a single CN component added.
+
 =item B<X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE>
 
 Key usage does not include digital signature.
 
 =item B<X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED>
 
-Proxy certificates not allowed, please set the appropriate flag.
+Proxy certificates not allowed, please use B<-allow_proxy_certs>.
 
 =item B<X509_V_ERR_INVALID_EXTENSION>