Move peer chain security checks into x509_vfy.c

A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-03-18 22:09:41 -0400
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-04-03 11:35:35 -0400
commit: fbb82a60dcbe820714a246ab3e7617eaf3a7b656 (patch)
tree: 261c976e4e3d6dbea776b0fb54c635bd2a10eebd /apps/opt.c
parent: 70dd3c6593d87e4cbb56b485717cb2cfff730f3e (diff)
download: openssl-fbb82a60dcbe820714a246ab3e7617eaf3a7b656.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/apps/opt.c b/apps/opt.c
index af994bb743..462894a938 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -526,6 +526,11 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
         if (i >= 0)
             X509_VERIFY_PARAM_set_depth(vpm, i);
         break;
+    case OPT_V_VERIFY_AUTH_LEVEL:
+        i = atoi(opt_arg());
+        if (i >= 0)
+            X509_VERIFY_PARAM_set_auth_level(vpm, i);
+        break;
     case OPT_V_ATTIME:
         if (!opt_imax(opt_arg(), &t))
             return 0;
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-03-18 22:09:41 -0400
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-04-03 11:35:35 -0400
commit	fbb82a60dcbe820714a246ab3e7617eaf3a7b656 (patch)
tree	261c976e4e3d6dbea776b0fb54c635bd2a10eebd /apps/opt.c
parent	70dd3c6593d87e4cbb56b485717cb2cfff730f3e (diff)
download	openssl-fbb82a60dcbe820714a246ab3e7617eaf3a7b656.tar.gz