diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-29 02:28:43 -0500 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-31 21:24:12 -0500 |
| commit | 33cc5dde478ba5ad79f8fd4acd8737f0e60e236e (patch) | |
| tree | 9c1ab89462ef00d5700c3712737a6ae960c2e604 /include/openssl/x509.h | |
| parent | 0daccd4dc1f1ac62181738a91714f35472e50f3c (diff) | |
| download | openssl-33cc5dde478ba5ad79f8fd4acd8737f0e60e236e.zip openssl-33cc5dde478ba5ad79f8fd4acd8737f0e60e236e.tar.gz openssl-33cc5dde478ba5ad79f8fd4acd8737f0e60e236e.tar.bz2 | |
Compat self-signed trust with reject-only aux data
When auxiliary data contains only reject entries, continue to trust
self-signed objects just as when no auxiliary data is present.
This makes it possible to reject specific uses without changing
what's accepted (and thus overring the underlying EKU).
Added new supported certs and doubled test count from 38 to 76.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'include/openssl/x509.h')
| -rw-r--r-- | include/openssl/x509.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 3a1c5e2..06fc99e 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -201,7 +201,12 @@ DEFINE_STACK_OF(X509_TRUST) /* trust_flags values */ # define X509_TRUST_DYNAMIC (1U << 0) # define X509_TRUST_DYNAMIC_NAME (1U << 1) +/* No compat trust if self-signed, preempts "DO_SS" */ # define X509_TRUST_NO_SS_COMPAT (1U << 2) +/* Compat trust if no explicit accepted trust EKUs */ +# define X509_TRUST_DO_SS_COMPAT (1U << 3) +/* Accept "anyEKU" as a wildcard trust OID */ +# define X509_TRUST_OK_ANY_EKU (1U << 4) /* check_trust return codes */ |