X509 verification fixes.
Ignore self issued certificates when checking path length constraints.
Duplicate OIDs in policy tree in case they are allocated.
Use anyPolicy from certificate cache and not current tree level.
diff --git a/apps/cms.c b/apps/cms.c
index 868de4e..b7382a4 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -95,6 +95,8 @@
#define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
#define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
+int verify_err = 0;
+
int MAIN(int, char **);
int MAIN(int argc, char **argv)
@@ -118,6 +120,7 @@
BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
int badarg = 0;
int flags = CMS_DETACHED, noout = 0, print = 0;
+ int verify_retcode = 0;
int rr_print = 0, rr_allorfirst = -1;
STACK_OF(STRING) *rr_to = NULL, *rr_from = NULL;
CMS_ReceiptRequest *rr = NULL;
@@ -167,6 +170,8 @@
operation = SMIME_RESIGN;
else if (!strcmp (*args, "-verify"))
operation = SMIME_VERIFY;
+ else if (!strcmp (*args, "-verify_retcode"))
+ verify_retcode = 1;
else if (!strcmp(*args,"-verify_receipt"))
{
operation = SMIME_VERIFY_RECEIPT;
@@ -1077,6 +1082,8 @@
else
{
BIO_printf(bio_err, "Verification failure\n");
+ if (verify_retcode)
+ ret = verify_err + 32;
goto end;
}
if (signerfile)
@@ -1206,6 +1213,8 @@
error = X509_STORE_CTX_get_error(ctx);
+ verify_err = error;
+
if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
&& ((error != X509_V_OK) || (ok != 2)))
return ok;
