Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
openssl
openssl-1.0.1i-trusted-first.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-1.0.1i-trusted-first.patch of Package openssl
Index: openssl-1.0.1i/apps/apps.c =================================================================== --- openssl-1.0.1i.orig/apps/apps.c 2017-11-03 12:16:48.419869928 +0100 +++ openssl-1.0.1i/apps/apps.c 2017-11-03 12:38:30.809334129 +0100 @@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; + else if (!strcmp(arg, "-trusted_first")) + flags |= X509_V_FLAG_TRUSTED_FIRST; else return 0; Index: openssl-1.0.1i/apps/cms.c =================================================================== --- openssl-1.0.1i.orig/apps/cms.c 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/apps/cms.c 2017-11-03 12:38:30.809334129 +0100 @@ -642,6 +642,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); #ifndef OPENSSL_NO_ENGINE Index: openssl-1.0.1i/apps/ocsp.c =================================================================== --- openssl-1.0.1i.orig/apps/ocsp.c 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/apps/ocsp.c 2017-11-03 12:38:30.809334129 +0100 @@ -605,6 +605,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-path path to use in OCSP request\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); BIO_printf (bio_err, "-VAfile file validator certificates file\n"); BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); Index: openssl-1.0.1i/apps/s_client.c =================================================================== --- openssl-1.0.1i.orig/apps/s_client.c 2017-11-03 12:16:47.991862995 +0100 +++ openssl-1.0.1i/apps/s_client.c 2017-11-03 12:38:30.809334129 +0100 @@ -299,6 +299,7 @@ static void sc_usage(void) BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n"); BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); BIO_printf(bio_err," -prexit - print session information even on connection failure\n"); Index: openssl-1.0.1i/apps/smime.c =================================================================== --- openssl-1.0.1i.orig/apps/smime.c 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/apps/smime.c 2017-11-03 12:38:30.809334129 +0100 @@ -479,6 +479,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-text include or delete text MIME headers\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n"); BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); #ifndef OPENSSL_NO_ENGINE Index: openssl-1.0.1i/apps/s_server.c =================================================================== --- openssl-1.0.1i.orig/apps/s_server.c 2017-11-03 12:16:48.283867725 +0100 +++ openssl-1.0.1i/apps/s_server.c 2017-11-03 12:38:30.809334129 +0100 @@ -522,6 +522,7 @@ static void sv_usage(void) BIO_printf(bio_err," -state - Print the SSL states\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n"); BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); Index: openssl-1.0.1i/apps/s_time.c =================================================================== --- openssl-1.0.1i.orig/apps/s_time.c 2017-11-03 12:16:47.831860403 +0100 +++ openssl-1.0.1i/apps/s_time.c 2017-11-03 12:16:48.531871742 +0100 @@ -179,6 +179,7 @@ static void s_time_usage(void) file if not specified by this option\n\ -CApath arg - PEM format directory of CA's\n\ -CAfile arg - PEM format file of CA's\n\ +-trusted_first - Use trusted CA's first when building the trust chain\n\ -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; printf( "usage: s_time <args>\n\n" ); Index: openssl-1.0.1i/apps/ts.c =================================================================== --- openssl-1.0.1i.orig/apps/ts.c 2014-07-22 21:43:11.000000000 +0200 +++ openssl-1.0.1i/apps/ts.c 2017-11-03 12:16:48.531871742 +0100 @@ -383,7 +383,7 @@ int MAIN(int argc, char **argv) "ts -verify [-data file_to_hash] [-digest digest_bytes] " "[-queryfile request.tsq] " "-in response.tsr [-token_in] " - "-CApath ca_path -CAfile ca_file.pem " + "-CApath ca_path -CAfile ca_file.pem -trusted_first" "-untrusted cert_file.pem\n"); cleanup: /* Clean up. */ Index: openssl-1.0.1i/apps/verify.c =================================================================== --- openssl-1.0.1i.orig/apps/verify.c 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/apps/verify.c 2017-11-03 12:38:30.809334129 +0100 @@ -237,7 +237,7 @@ int MAIN(int argc, char **argv) end: if (ret == 1) { - BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); + BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); BIO_printf(bio_err," [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," [-engine e]"); Index: openssl-1.0.1i/crypto/x509/x509_vfy.c =================================================================== --- openssl-1.0.1i.orig/crypto/x509/x509_vfy.c 2017-11-03 12:16:48.123865133 +0100 +++ openssl-1.0.1i/crypto/x509/x509_vfy.c 2017-11-03 12:38:30.809334129 +0100 @@ -205,6 +205,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx /* If we are self signed, we break */ if (ctx->check_issued(ctx, x,x)) break; + /* If asked see if we can find issuer in trusted store first */ + if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) + { + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) + return ok; + /* If successful for now free up cert so it + * will be picked up again later. + */ + if (ok > 0) + { + X509_free(xtmp); + break; + } + } /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) Index: openssl-1.0.1i/crypto/x509/x509_vfy.h =================================================================== --- openssl-1.0.1i.orig/crypto/x509/x509_vfy.h 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/crypto/x509/x509_vfy.h 2017-11-03 12:38:30.809334129 +0100 @@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +/* Use trusted store first */ +#define X509_V_FLAG_TRUSTED_FIRST 0x8000 #define X509_VP_FLAG_DEFAULT 0x1 Index: openssl-1.0.1i/doc/apps/cms.pod =================================================================== --- openssl-1.0.1i.orig/doc/apps/cms.pod 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/doc/apps/cms.pod 2017-11-03 12:38:30.809334129 +0100 @@ -35,6 +35,7 @@ B<openssl> B<cms> [B<-print>] [B<-CAfile file>] [B<-CApath dir>] +[B<-trusted_first>] [B<-md digest>] [B<-[cipher]>] [B<-nointern>] @@ -243,6 +244,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B<x509 -hash>) should be linked to each certificate. +=item B<-trusted_first> + +Use certificates in CA file or CA directory before untrusted certificates +from the message when building the trust chain to verify certificates. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the Index: openssl-1.0.1i/doc/apps/ocsp.pod =================================================================== --- openssl-1.0.1i.orig/doc/apps/ocsp.pod 2014-07-22 21:43:11.000000000 +0200 +++ openssl-1.0.1i/doc/apps/ocsp.pod 2017-11-03 12:38:30.809334129 +0100 @@ -29,6 +29,7 @@ B<openssl> B<ocsp> [B<-path>] [B<-CApath dir>] [B<-CAfile file>] +[B<-trusted_first>] [B<-VAfile file>] [B<-validity_period n>] [B<-status_age n>] @@ -138,6 +139,13 @@ or "/" by default. file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. +=item B<-trusted_first> + +Use certificates in CA file or CA directory over certificates provided +in the response or residing in other certificates file when building the trust +chain to verify responder certificate. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + =item B<-verify_other file> file containing additional certificates to search when attempting to locate Index: openssl-1.0.1i/doc/apps/s_client.pod =================================================================== --- openssl-1.0.1i.orig/doc/apps/s_client.pod 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/doc/apps/s_client.pod 2017-11-03 12:38:30.809334129 +0100 @@ -19,6 +19,7 @@ B<openssl> B<s_client> [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] [B<-reconnect>] [B<-pause>] [B<-showcerts>] @@ -116,7 +117,7 @@ also used when building the client certi A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> Set various certificate chain valiadition option. See the L<B<verify>|verify(1)> manual page for details. Index: openssl-1.0.1i/doc/apps/smime.pod =================================================================== --- openssl-1.0.1i.orig/doc/apps/smime.pod 2014-07-22 21:43:11.000000000 +0200 +++ openssl-1.0.1i/doc/apps/smime.pod 2017-11-03 12:38:30.809334129 +0100 @@ -15,6 +15,9 @@ B<openssl> B<smime> [B<-pk7out>] [B<-[cipher]>] [B<-in file>] +[B<-CAfile file>] +[B<-CApath dir>] +[B<-trusted_first>] [B<-certfile file>] [B<-signer file>] [B<-recip file>] @@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta is a hash of each subject name (using B<x509 -hash>) should be linked to each certificate. +=item B<-trusted_first> + +Use certificates in CA file or CA directory over certificates provided +in the message when building the trust chain to verify a certificate. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + =item B<-md digest> digest algorithm to use when signing or resigning. If not present then the Index: openssl-1.0.1i/doc/apps/s_server.pod =================================================================== --- openssl-1.0.1i.orig/doc/apps/s_server.pod 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/doc/apps/s_server.pod 2017-11-03 12:38:30.809334129 +0100 @@ -33,6 +33,7 @@ B<openssl> B<s_server> [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] [B<-nocert>] [B<-cipher cipherlist>] [B<-serverpref>] @@ -178,6 +179,12 @@ and to use when attempting to build the is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-trusted_first> + +Use certificates in CA file or CA directory before other certificates +when building the trust chain to verify client certificates. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + =item B<-state> prints out the SSL session states. Index: openssl-1.0.1i/doc/apps/s_time.pod =================================================================== --- openssl-1.0.1i.orig/doc/apps/s_time.pod 2014-07-22 21:41:23.000000000 +0200 +++ openssl-1.0.1i/doc/apps/s_time.pod 2017-11-03 12:16:48.531871742 +0100 @@ -14,6 +14,7 @@ B<openssl> B<s_time> [B<-key filename>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-trusted_first>] [B<-reuse>] [B<-new>] [B<-verify depth>] @@ -76,6 +77,12 @@ also used when building the client certi A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. +=item B<-trusted_first> + +Use certificates in CA file or CA directory over the certificates provided +by the server when building the trust chain to verify server certificate. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + =item B<-new> performs the timing test using a new session ID for each connection. Index: openssl-1.0.1i/doc/apps/ts.pod =================================================================== --- openssl-1.0.1i.orig/doc/apps/ts.pod 2017-11-03 12:16:47.795859820 +0100 +++ openssl-1.0.1i/doc/apps/ts.pod 2017-11-03 12:16:48.531871742 +0100 @@ -46,6 +46,7 @@ B<-verify> [B<-token_in>] [B<-CApath> trusted_cert_path] [B<-CAfile> trusted_certs.pem] +[B<-trusted_first>] [B<-untrusted> cert_file.pem] =head1 DESCRIPTION @@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de or B<-CApath> must be specified. (Optional) +=item B<-trusted_first> + +Use certificates in CA file or CA directory before other certificates +when building the trust chain to verify certificates. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + =item B<-untrusted> cert_file.pem Set of additional untrusted certificates in PEM format which may be Index: openssl-1.0.1i/doc/apps/verify.pod =================================================================== --- openssl-1.0.1i.orig/doc/apps/verify.pod 2014-08-06 23:10:56.000000000 +0200 +++ openssl-1.0.1i/doc/apps/verify.pod 2017-11-03 12:38:30.809334129 +0100 @@ -9,6 +9,7 @@ verify - Utility to verify certificates. B<openssl> B<verify> [B<-CApath directory>] [B<-CAfile file>] +[B<-trusted_first>] [B<-purpose purpose>] [B<-policy arg>] [B<-ignore_critical>] @@ -56,6 +57,12 @@ in PEM format concatenated together. A file of untrusted certificates. The file should contain multiple certificates in PEM format concatenated together. +=item B<-trusted_first> + +Use certificates in CA file or CA directory before the certificates in the untrusted +file when building the trust chain to verify certificates. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs. + =item B<-purpose purpose> The intended use for the certificate. If this option is not specified,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor