diff options
author | Matt Caswell <matt@openssl.org> | 2015-09-22 16:00:52 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-09-25 14:49:59 +0100 |
commit | 2b6bcb702d237171ec5217956a42c8dce031ea51 (patch) | |
tree | 28ae33107e186389f048d4e7f0aa9a9a12ed79a2 /apps/ocsp.c | |
parent | 631fb6af5f404e4f8b4ae33f3ffdcec81b9df19a (diff) | |
download | openssl-2b6bcb702d237171ec5217956a42c8dce031ea51.tar.gz |
Add support for -no-CApath and -no-CAfile options
For those command line options that take the verification options
-CApath and -CAfile, if those options are absent then the default path or
file is used instead. It is not currently possible to specify *no* path or
file at all. This change adds the options -no-CApath and -no-CAfile to
specify that the default locations should not be used to all relevant
applications.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Diffstat (limited to 'apps/ocsp.c')
-rw-r--r-- | apps/ocsp.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c index e97d06e7c1..960b77681a 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -131,7 +131,7 @@ typedef enum OPTION_choice { OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, - OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, + OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, @@ -183,6 +183,10 @@ OPTIONS ocsp_options[] = { "Additional certificates to search for signer"}, {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, {"validity_period", OPT_VALIDITY_PERIOD, 'u', "Maximum validity discrepancy in seconds"}, {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, @@ -236,6 +240,7 @@ int ocsp_main(int argc, char **argv) char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; char *signfile = NULL, *keyfile = NULL; char *thost = NULL, *tport = NULL, *tpath = NULL; + int noCAfile = 0, noCApath = 0; int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1; int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1; int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1; @@ -369,6 +374,12 @@ int ocsp_main(int argc, char **argv) case OPT_CAPATH: CApath = opt_arg(); break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_NOCAPATH: + noCApath = 1; + break; case OPT_V_CASES: if (!opt_verify(o, vpm)) goto end; @@ -685,7 +696,7 @@ int ocsp_main(int argc, char **argv) } if (!store) { - store = setup_verify(CAfile, CApath); + store = setup_verify(CAfile, CApath, noCAfile, noCApath); if (!store) goto end; } |