Make it possible to check for explicit auxiliary trust

By default X509_check_trust() trusts self-signed certificates from the trust store that have no explicit local trust/reject oids encapsulated as a "TRUSTED CERTIFICATE" object. (See the -addtrust and -trustout options of x509(1)). This commit adds a flag that makes it possible to distinguish between that implicit trust, and explicit auxiliary settings. With flags |= X509_TRUST_NO_SS_COMPAT, a certificate is only trusted via explicit trust settings. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-27 22:43:23 -0500
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-29 10:53:46 -0500
commit: aea6116146ef462d11950ebf701e0f56a38b3d75 (patch)
tree: 810de6d4e9c918d69c0b8e7a6d2220191c3704e9 /include
parent: d8ca44ba4158a9dafeaa30d3cba6f113904d2aa6 (diff)
download: openssl-aea6116146ef462d11950ebf701e0f56a38b3d75.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 477bff8eb8..7581bb4be8 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -199,8 +199,9 @@ DEFINE_STACK_OF(X509_TRUST)
 # define X509_TRUST_MAX          8
 
 /* trust_flags values */
-# define X509_TRUST_DYNAMIC      1
-# define X509_TRUST_DYNAMIC_NAME 2
+# define X509_TRUST_DYNAMIC      (1U << 0)
+# define X509_TRUST_DYNAMIC_NAME (1U << 1)
+# define X509_TRUST_NO_SS_COMPAT (1U << 2)
 
 /* check_trust return codes */
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-27 22:43:23 -0500
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-29 10:53:46 -0500
commit	aea6116146ef462d11950ebf701e0f56a38b3d75 (patch)
tree	810de6d4e9c918d69c0b8e7a6d2220191c3704e9 /include
parent	d8ca44ba4158a9dafeaa30d3cba6f113904d2aa6 (diff)
download	openssl-aea6116146ef462d11950ebf701e0f56a38b3d75.tar.gz