x509storeissuer: add an ability to skip loading default paths

esyr · esyr · commit d12e9fa4e5f2 · 2025-11-10T15:52:59.000+01:00
Signed-off-by: Eugene Syromiatnikov &lt;esyr@openssl.org&gt;
diff --git a/source/x509storeissuer.c b/source/x509storeissuer.c
@@ -545,7 +545,7 @@ usage(char * const argv[])
 {
     fprintf(stderr,
             "Usage: %s [-t] [-v] [-q N] [-T time] [-n nonce_type:type_args]"
-            " [-l max_certs] [-L max_cert_dirs] [-C threads]"
+            " [-l max_certs] [-L max_cert_dirs] [-E] [-C threads]"
             " [-V] certsdir [certsdir...] threadcount\n"
             "\t-t\tTerse output\n"
             "\t-v\tVerbose output.  Multiple usage increases verbosity.\n"
@@ -563,6 +563,7 @@ usage(char * const argv[])
             "\t\tDefault: " OPENSSL_MSTR(MAX_LOAD_CERTS) "\n"
             "\t-L\tLimit on the number of initially loaded certificate\n"
             "\t\tdirectories.  Default: " OPENSSL_MSTR(MAX_LOAD_CERT_DIRS) "\n"
+            "\t-E\tDo not call X509_STORE_set_default_paths()\n"
             "\t-C\tNumber of threads that share the same X.509\n"
             "\t\tstore context object.  Default: "
             OPENSSL_MSTR(CTX_SHARE_THREADS) "\n"
@@ -635,11 +636,12 @@ main(int argc, char *argv[])
     size_t num_certs = 0;
     size_t max_load_certs = MAX_LOAD_CERTS;
     int max_load_cert_dirs = MAX_LOAD_CERT_DIRS;
+    bool skip_default_paths = false;
     struct nonce_cfg nonce_cfg;
 
     parse_nonce_cfg(NONCE_CFG, &nonce_cfg);
 
-    while ((opt = getopt(argc, argv, "tvq:T:n:l:L:C:V")) != -1) {
+    while ((opt = getopt(argc, argv, "tvq:T:n:l:L:EC:V")) != -1) {
         switch (opt) {
         case 't': /* terse */
             verbosity = VERBOSITY_TERSE;
@@ -671,6 +673,9 @@ main(int argc, char *argv[])
                                            "maximum certificate directories"
                                            " load count");
             break;
+        case 'E':
+            skip_default_paths = true;
+            break;
         case 'C': /* how many threads share X509_STORE_CTX */
             ctx_share_cnt = parse_int(optarg, 1, INT_MAX,
                                       "X509_STORE_CTX share degree");
@@ -717,8 +722,12 @@ main(int argc, char *argv[])
     }
 
     store = X509_STORE_new();
-    if (store == NULL || !X509_STORE_set_default_paths(store))
+    if (store == NULL)
         errx(EXIT_FAILURE, "Failed to create X509_STORE");
+    if (!skip_default_paths) {
+        if (!X509_STORE_set_default_paths(store))
+            errx(EXIT_FAILURE, "Failed to load certificates from default paths");
+    }
 
     num_certs += read_certsdirs(argv + dirs_start, max_load_certs,
                                 OSSL_MIN(argc - dirs_start - 1,
