apps/verify.c: Change an old comment to clarify what the callback does

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/7922)
2019-01-16 21:54:48 +01:00 · 2019-01-16 21:54:48 +01:00 · 9b10986d77
commit 9b10986d77
parent 807989df56
1 changed files with 8 additions and 5 deletions
--- a/apps/verify.c
+++ b/apps/verify.c
@ -286,16 +286,19 @@ static int cb(int ok, X509_STORE_CTX *ctx)
               cert_error,
               X509_STORE_CTX_get_error_depth(ctx),
               X509_verify_cert_error_string(cert_error));
+
+        /*
+         * Pretend that some errors are ok, so they don't stop further
+         * processing of the certificate chain.  Setting ok = 1 does this.
+         * After X509_verify_cert() is done, we verify that there were
+         * no actual errors, even if the returned value was positive.
+         */
        switch (cert_error) {
        case X509_V_ERR_NO_EXPLICIT_POLICY:
            policies_print(ctx);
            /* fall thru */
        case X509_V_ERR_CERT_HAS_EXPIRED:
-
-            /*
-             * since we are just checking the certificates, it is ok if they
-             * are self signed. But we should still warn the user.
-             */
+            /* Continue even if the leaf is a self signed cert */
        case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
            /* Continue after extension errors too */
        case X509_V_ERR_INVALID_CA: