Closed noloader closed 4 years ago
Thanks again! I'll study/review hopefully this afternoon, but soon in any case.
Thanks @wtoorop.
Take what you want from it.
If LDNS ever supports different back-ends, like GnuTLS or NSS, then you will definitely want X509_V_FLAG_PARTIAL_CHAIN
. GnuTLS and NSS bake-in the logic of OpenSSL's X509_V_FLAG_PARTIAL_CHAIN
. To keep consistent behavior with GnuTLS or NSS, LDNS will need X509_V_FLAG_PARTIAL_CHAIN
.
And other software, like cURL and Wget, use X509_V_FLAG_PARTIAL_CHAIN
when using OpenSSL as a back-end.
OK, deleting.
Here is the patch if you want to take pieces from it in the future: X509_V_FLAG_PARTIAL_CHAIN.diff.zip.
Did you not want to keep the branch around? I did not have opportunity to look/merge yet...
dane.c: use OpenSSL X509_V_FLAG_PARTIAL_CHAIN in verify context.
OpenSSL's X509_V_FLAG_PARTIAL_CHAIN allows one to use an intermediate CA (i.e., non-root) to root trust. It is incredibly useful to prune paths from a trust model. For example, with X509_V_FLAG_PARTIAL_CHAIN, one can use Let's Encrypt CA certificate alone to verify a server. Without the flag one must trust the IdentTrust Root CA, which brings in the entire PKI, including issuers for revocation, server certificates, client certificates, code signing certificates and time stamping.
Also clear several 'maybe uninitialized' warnings. The warnings seem to be related to the conditional code paths guarded by X509_V_FLAG_PARTIAL_CHAIN.