1 /* crypto/x509/x509_vfy.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
64 #include <openssl/crypto.h>
65 #include <openssl/lhash.h>
66 #include <openssl/buffer.h>
67 #include <openssl/evp.h>
68 #include <openssl/asn1.h>
69 #include <openssl/x509.h>
70 #include <openssl/x509v3.h>
71 #include <openssl/objects.h>
73 static int null_callback(int ok
,X509_STORE_CTX
*e
);
74 static int check_issued(X509_STORE_CTX
*ctx
, X509
*x
, X509
*issuer
);
75 static X509
*find_issuer(X509_STORE_CTX
*ctx
, STACK_OF(X509
) *sk
, X509
*x
);
76 static int check_chain_extensions(X509_STORE_CTX
*ctx
);
77 static int check_name_constraints(X509_STORE_CTX
*ctx
);
78 static int check_trust(X509_STORE_CTX
*ctx
);
79 static int check_revocation(X509_STORE_CTX
*ctx
);
80 static int check_cert(X509_STORE_CTX
*ctx
);
81 static int check_policy(X509_STORE_CTX
*ctx
);
82 static int crl_akid_check(X509_STORE_CTX
*ctx
, X509_CRL
*crl
, X509
**pissuer
);
83 static int idp_check_scope(X509
*x
, X509_CRL
*crl
);
84 static int internal_verify(X509_STORE_CTX
*ctx
);
85 const char X509_version
[]="X.509" OPENSSL_VERSION_PTEXT
;
88 static int null_callback(int ok
, X509_STORE_CTX
*e
)
94 static int x509_subject_cmp(X509
**a
, X509
**b
)
96 return X509_subject_name_cmp(*a
,*b
);
100 int X509_verify_cert(X509_STORE_CTX
*ctx
)
102 X509
*x
,*xtmp
,*chain_ss
=NULL
;
105 X509_VERIFY_PARAM
*param
= ctx
->param
;
108 int (*cb
)(int xok
,X509_STORE_CTX
*xctx
);
109 STACK_OF(X509
) *sktmp
=NULL
;
110 if (ctx
->cert
== NULL
)
112 X509err(X509_F_X509_VERIFY_CERT
,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY
);
118 /* first we make sure the chain we are going to build is
119 * present and that the first entry is in place */
120 if (ctx
->chain
== NULL
)
122 if ( ((ctx
->chain
=sk_X509_new_null()) == NULL
) ||
123 (!sk_X509_push(ctx
->chain
,ctx
->cert
)))
125 X509err(X509_F_X509_VERIFY_CERT
,ERR_R_MALLOC_FAILURE
);
128 CRYPTO_add(&ctx
->cert
->references
,1,CRYPTO_LOCK_X509
);
129 ctx
->last_untrusted
=1;
132 /* We use a temporary STACK so we can chop and hack at it */
133 if (ctx
->untrusted
!= NULL
134 && (sktmp
=sk_X509_dup(ctx
->untrusted
)) == NULL
)
136 X509err(X509_F_X509_VERIFY_CERT
,ERR_R_MALLOC_FAILURE
);
140 num
=sk_X509_num(ctx
->chain
);
141 x
=sk_X509_value(ctx
->chain
,num
-1);
147 /* If we have enough, we break */
148 if (depth
< num
) break; /* FIXME: If this happens, we should take
149 * note of it and, if appropriate, use the
150 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
154 /* If we are self signed, we break */
155 xn
=X509_get_issuer_name(x
);
156 if (ctx
->check_issued(ctx
, x
,x
)) break;
158 /* If we were passed a cert chain, use it first */
159 if (ctx
->untrusted
!= NULL
)
161 xtmp
=find_issuer(ctx
, sktmp
,x
);
164 if (!sk_X509_push(ctx
->chain
,xtmp
))
166 X509err(X509_F_X509_VERIFY_CERT
,ERR_R_MALLOC_FAILURE
);
169 CRYPTO_add(&xtmp
->references
,1,CRYPTO_LOCK_X509
);
170 (void)sk_X509_delete_ptr(sktmp
,xtmp
);
171 ctx
->last_untrusted
++;
174 /* reparse the full chain for
182 /* at this point, chain should contain a list of untrusted
183 * certificates. We now need to add at least one trusted one,
184 * if possible, otherwise we complain. */
186 /* Examine last certificate in chain and see if it
190 i
=sk_X509_num(ctx
->chain
);
191 x
=sk_X509_value(ctx
->chain
,i
-1);
192 xn
= X509_get_subject_name(x
);
193 if (ctx
->check_issued(ctx
, x
, x
))
195 /* we have a self signed certificate */
196 if (sk_X509_num(ctx
->chain
) == 1)
198 /* We have a single self signed certificate: see if
199 * we can find it in the store. We must have an exact
200 * match to avoid possible impersonation.
202 ok
= ctx
->get_issuer(&xtmp
, ctx
, x
);
203 if ((ok
<= 0) || X509_cmp(x
, xtmp
))
205 ctx
->error
=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
;
207 ctx
->error_depth
=i
-1;
208 if (ok
== 1) X509_free(xtmp
);
215 /* We have a match: replace certificate with store version
216 * so we get any trust settings.
220 (void)sk_X509_set(ctx
->chain
, i
- 1, x
);
221 ctx
->last_untrusted
=0;
226 /* extract and save self signed certificate for later use */
227 chain_ss
=sk_X509_pop(ctx
->chain
);
228 ctx
->last_untrusted
--;
230 x
=sk_X509_value(ctx
->chain
,num
-1);
234 /* We now lookup certs from the certificate store */
237 /* If we have enough, we break */
238 if (depth
< num
) break;
240 /* If we are self signed, we break */
241 xn
=X509_get_issuer_name(x
);
242 if (ctx
->check_issued(ctx
,x
,x
)) break;
244 ok
= ctx
->get_issuer(&xtmp
, ctx
, x
);
246 if (ok
< 0) return ok
;
250 if (!sk_X509_push(ctx
->chain
,x
))
253 X509err(X509_F_X509_VERIFY_CERT
,ERR_R_MALLOC_FAILURE
);
259 /* we now have our chain, lets check it... */
260 xn
=X509_get_issuer_name(x
);
262 /* Is last certificate looked up self signed? */
263 if (!ctx
->check_issued(ctx
,x
,x
))
265 if ((chain_ss
== NULL
) || !ctx
->check_issued(ctx
, x
, chain_ss
))
267 if (ctx
->last_untrusted
>= num
)
268 ctx
->error
=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
;
270 ctx
->error
=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
;
276 sk_X509_push(ctx
->chain
,chain_ss
);
278 ctx
->last_untrusted
=num
;
279 ctx
->current_cert
=chain_ss
;
280 ctx
->error
=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
;
284 ctx
->error_depth
=num
-1;
290 /* We have the chain complete: now we need to check its purpose */
291 ok
= check_chain_extensions(ctx
);
295 /* Check name constraints */
297 ok
= check_name_constraints(ctx
);
301 /* The chain extensions are OK: check trust */
303 if (param
->trust
> 0) ok
= check_trust(ctx
);
307 /* We may as well copy down any DSA parameters that are required */
308 X509_get_pubkey_parameters(NULL
,ctx
->chain
);
310 /* Check revocation status: we do this after copying parameters
311 * because they may be needed for CRL signature verification.
314 ok
= ctx
->check_revocation(ctx
);
317 /* At this point, we have a chain and need to verify it */
318 if (ctx
->verify
!= NULL
)
321 ok
=internal_verify(ctx
);
324 #ifndef OPENSSL_NO_RFC3779
325 /* RFC 3779 path validation, now that CRL check has been done */
326 ok
= v3_asid_validate_path(ctx
);
328 ok
= v3_addr_validate_path(ctx
);
332 /* If we get this far evaluate policies */
333 if (!bad_chain
&& (ctx
->param
->flags
& X509_V_FLAG_POLICY_CHECK
))
334 ok
= ctx
->check_policy(ctx
);
339 X509_get_pubkey_parameters(NULL
,ctx
->chain
);
341 if (sktmp
!= NULL
) sk_X509_free(sktmp
);
342 if (chain_ss
!= NULL
) X509_free(chain_ss
);
347 /* Given a STACK_OF(X509) find the issuer of cert (if any)
350 static X509
*find_issuer(X509_STORE_CTX
*ctx
, STACK_OF(X509
) *sk
, X509
*x
)
354 for (i
= 0; i
< sk_X509_num(sk
); i
++)
356 issuer
= sk_X509_value(sk
, i
);
357 if (ctx
->check_issued(ctx
, x
, issuer
))
363 /* Given a possible certificate and issuer check them */
365 static int check_issued(X509_STORE_CTX
*ctx
, X509
*x
, X509
*issuer
)
368 ret
= X509_check_issued(issuer
, x
);
369 if (ret
== X509_V_OK
)
371 /* If we haven't asked for issuer errors don't set ctx */
372 if (!(ctx
->param
->flags
& X509_V_FLAG_CB_ISSUER_CHECK
))
376 ctx
->current_cert
= x
;
377 ctx
->current_issuer
= issuer
;
378 return ctx
->verify_cb(0, ctx
);
382 /* Alternative lookup method: look from a STACK stored in other_ctx */
384 static int get_issuer_sk(X509
**issuer
, X509_STORE_CTX
*ctx
, X509
*x
)
386 *issuer
= find_issuer(ctx
, ctx
->other_ctx
, x
);
389 CRYPTO_add(&(*issuer
)->references
,1,CRYPTO_LOCK_X509
);
397 /* Check a certificate chains extensions for consistency
398 * with the supplied purpose
401 static int check_chain_extensions(X509_STORE_CTX
*ctx
)
403 #ifdef OPENSSL_NO_CHAIN_VERIFY
406 int i
, ok
=0, must_be_ca
, plen
= 0;
408 int (*cb
)(int xok
,X509_STORE_CTX
*xctx
);
409 int proxy_path_length
= 0;
410 int allow_proxy_certs
=
411 !!(ctx
->param
->flags
& X509_V_FLAG_ALLOW_PROXY_CERTS
);
414 /* must_be_ca can have 1 of 3 values:
415 -1: we accept both CA and non-CA certificates, to allow direct
416 use of self-signed certificates (which are marked as CA).
417 0: we only accept non-CA certificates. This is currently not
418 used, but the possibility is present for future extensions.
419 1: we only accept CA certificates. This is currently used for
420 all certificates in the chain except the leaf certificate.
424 /* A hack to keep people who don't want to modify their software
426 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
427 allow_proxy_certs
= 1;
429 /* Check all untrusted certificates */
430 for (i
= 0; i
< ctx
->last_untrusted
; i
++)
433 x
= sk_X509_value(ctx
->chain
, i
);
434 if (!(ctx
->param
->flags
& X509_V_FLAG_IGNORE_CRITICAL
)
435 && (x
->ex_flags
& EXFLAG_CRITICAL
))
437 ctx
->error
= X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
;
438 ctx
->error_depth
= i
;
439 ctx
->current_cert
= x
;
443 if (!allow_proxy_certs
&& (x
->ex_flags
& EXFLAG_PROXY
))
445 ctx
->error
= X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
;
446 ctx
->error_depth
= i
;
447 ctx
->current_cert
= x
;
451 ret
= X509_check_ca(x
);
455 if ((ctx
->param
->flags
& X509_V_FLAG_X509_STRICT
)
456 && (ret
!= 1) && (ret
!= 0))
459 ctx
->error
= X509_V_ERR_INVALID_CA
;
468 ctx
->error
= X509_V_ERR_INVALID_NON_CA
;
475 || ((ctx
->param
->flags
& X509_V_FLAG_X509_STRICT
)
479 ctx
->error
= X509_V_ERR_INVALID_CA
;
487 ctx
->error_depth
= i
;
488 ctx
->current_cert
= x
;
492 if (ctx
->param
->purpose
> 0)
494 ret
= X509_check_purpose(x
, ctx
->param
->purpose
,
497 || ((ctx
->param
->flags
& X509_V_FLAG_X509_STRICT
)
500 ctx
->error
= X509_V_ERR_INVALID_PURPOSE
;
501 ctx
->error_depth
= i
;
502 ctx
->current_cert
= x
;
507 /* Check pathlen if not self issued */
508 if ((i
> 1) && !(x
->ex_flags
& EXFLAG_SI
)
509 && (x
->ex_pathlen
!= -1)
510 && (plen
> (x
->ex_pathlen
+ proxy_path_length
+ 1)))
512 ctx
->error
= X509_V_ERR_PATH_LENGTH_EXCEEDED
;
513 ctx
->error_depth
= i
;
514 ctx
->current_cert
= x
;
518 /* Increment path length if not self issued */
519 if (!(x
->ex_flags
& EXFLAG_SI
))
521 /* If this certificate is a proxy certificate, the next
522 certificate must be another proxy certificate or a EE
523 certificate. If not, the next certificate must be a
525 if (x
->ex_flags
& EXFLAG_PROXY
)
527 if (x
->ex_pcpathlen
!= -1 && i
> x
->ex_pcpathlen
)
530 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
;
531 ctx
->error_depth
= i
;
532 ctx
->current_cert
= x
;
548 static int check_name_constraints(X509_STORE_CTX
*ctx
)
552 /* Check name constraints for all certificates */
553 for (i
= sk_X509_num(ctx
->chain
) - 1; i
>= 0; i
--)
555 x
= sk_X509_value(ctx
->chain
, i
);
556 /* Ignore self issued certs unless last in chain */
557 if (i
&& (x
->ex_flags
& EXFLAG_SI
))
559 /* Check against constraints for all certificates higher in
560 * chain including trust anchor. Trust anchor not strictly
561 * speaking needed but if it includes constraints it is to be
562 * assumed it expects them to be obeyed.
564 for (j
= sk_X509_num(ctx
->chain
) - 1; j
> i
; j
--)
566 NAME_CONSTRAINTS
*nc
= sk_X509_value(ctx
->chain
, j
)->nc
;
569 rv
= NAME_CONSTRAINTS_check(x
, nc
);
573 ctx
->error_depth
= i
;
574 ctx
->current_cert
= x
;
575 if (!ctx
->verify_cb(0,ctx
))
584 static int check_trust(X509_STORE_CTX
*ctx
)
586 #ifdef OPENSSL_NO_CHAIN_VERIFY
591 int (*cb
)(int xok
,X509_STORE_CTX
*xctx
);
593 /* For now just check the last certificate in the chain */
594 i
= sk_X509_num(ctx
->chain
) - 1;
595 x
= sk_X509_value(ctx
->chain
, i
);
596 ok
= X509_check_trust(x
, ctx
->param
->trust
, 0);
597 if (ok
== X509_TRUST_TRUSTED
)
599 ctx
->error_depth
= i
;
600 ctx
->current_cert
= x
;
601 if (ok
== X509_TRUST_REJECTED
)
602 ctx
->error
= X509_V_ERR_CERT_REJECTED
;
604 ctx
->error
= X509_V_ERR_CERT_UNTRUSTED
;
610 static int check_revocation(X509_STORE_CTX
*ctx
)
613 if (!(ctx
->param
->flags
& X509_V_FLAG_CRL_CHECK
))
615 if (ctx
->param
->flags
& X509_V_FLAG_CRL_CHECK_ALL
)
616 last
= sk_X509_num(ctx
->chain
) - 1;
619 for(i
= 0; i
<= last
; i
++)
621 ctx
->error_depth
= i
;
622 ok
= check_cert(ctx
);
628 static int check_cert(X509_STORE_CTX
*ctx
)
630 X509_CRL
*crl
= NULL
;
633 cnum
= ctx
->error_depth
;
634 x
= sk_X509_value(ctx
->chain
, cnum
);
635 ctx
->current_cert
= x
;
636 ctx
->current_issuer
= NULL
;
637 /* Try to retrieve relevant CRL */
638 ok
= ctx
->get_crl(ctx
, &crl
, x
);
639 /* If error looking up CRL, nothing we can do except
644 ctx
->error
= X509_V_ERR_UNABLE_TO_GET_CRL
;
645 ok
= ctx
->verify_cb(0, ctx
);
648 ctx
->current_crl
= crl
;
649 ok
= ctx
->check_crl(ctx
, crl
);
651 ok
= ctx
->cert_crl(ctx
, crl
, x
);
653 ctx
->current_crl
= NULL
;
659 /* Check CRL times against values in X509_STORE_CTX */
661 static int check_crl_time(X509_STORE_CTX
*ctx
, X509_CRL
*crl
, int notify
)
665 ctx
->current_crl
= crl
;
666 if (ctx
->param
->flags
& X509_V_FLAG_USE_CHECK_TIME
)
667 ptime
= &ctx
->param
->check_time
;
671 i
=X509_cmp_time(X509_CRL_get_lastUpdate(crl
), ptime
);
674 ctx
->error
=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
;
675 if (!notify
|| !ctx
->verify_cb(0, ctx
))
681 ctx
->error
=X509_V_ERR_CRL_NOT_YET_VALID
;
682 if (!notify
|| !ctx
->verify_cb(0, ctx
))
686 if(X509_CRL_get_nextUpdate(crl
))
688 i
=X509_cmp_time(X509_CRL_get_nextUpdate(crl
), ptime
);
692 ctx
->error
=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
;
693 if (!notify
|| !ctx
->verify_cb(0, ctx
))
699 ctx
->error
=X509_V_ERR_CRL_HAS_EXPIRED
;
700 if (!notify
|| !ctx
->verify_cb(0, ctx
))
705 ctx
->current_crl
= NULL
;
710 /* Based on a set of possible CRLs decide which one is best suited
711 * to handle the current certificate. This is determined by a number
712 * of criteria. If any of the "must" criteria is not satisfied then
713 * the candidate CRL is rejected. If all "must" and all "should" are
714 * satisfied the CRL is accepted. If no CRL satisfies all criteria then
715 * a "best CRL" is used to provide some meaningful error information.
717 * CRL issuer name must match "nm" if not NULL.
719 * a. it must be consistent.
720 * b. onlyuser, onlyCA, onlyAA should match certificate being checked.
721 * c. indirectCRL must be FALSE.
722 * d. onlysomereason must be absent.
723 * e. if name present a DP in certificate CRLDP must match.
724 * If AKID present it should match certificate AKID.
725 * Check time should fall between lastUpdate and nextUpdate.
728 /* IDP name field matches CRLDP or IDP name not present */
729 #define CRL_SCORE_SCOPE 4
730 /* AKID present and matches cert, or AKID not present */
731 #define CRL_SCORE_AKID 2
733 #define CRL_SCORE_TIME 1
735 #define CRL_SCORE_ALL 7
737 /* IDP flags which cause a CRL to be rejected */
739 #define IDP_REJECT (IDP_INVALID|IDP_INDIRECT|IDP_REASONS)
741 static int get_crl_sk(X509_STORE_CTX
*ctx
, X509_CRL
**pcrl
,
742 X509_NAME
*nm
, STACK_OF(X509_CRL
) *crls
)
744 int i
, crl_score
, best_score
= -1;
745 X509_CRL
*crl
, *best_crl
= NULL
;
746 X509
*crl_issuer
, *best_crl_issuer
= NULL
;
747 for (i
= 0; i
< sk_X509_CRL_num(crls
); i
++)
751 crl
= sk_X509_CRL_value(crls
, i
);
752 if (nm
&& X509_NAME_cmp(nm
, X509_CRL_get_issuer(crl
)))
754 if (check_crl_time(ctx
, crl
, 0))
755 crl_score
|= CRL_SCORE_TIME
;
757 if (crl
->idp_flags
& IDP_PRESENT
)
759 if (crl
->idp_flags
& IDP_REJECT
)
761 if (idp_check_scope(ctx
->current_cert
, crl
))
762 crl_score
|= CRL_SCORE_SCOPE
;
765 crl_score
|= CRL_SCORE_SCOPE
;
767 if (crl_akid_check(ctx
, crl
, &crl_issuer
))
768 crl_score
|= CRL_SCORE_AKID
;
769 /* If CRL matches criteria and issuer is not different use it */
770 if (crl_score
== CRL_SCORE_ALL
&& !crl_issuer
)
773 CRYPTO_add(&crl
->references
, 1, CRYPTO_LOCK_X509_CRL
);
777 if (crl_score
> best_score
)
780 best_crl_issuer
= crl_issuer
;
781 best_score
= crl_score
;
787 ctx
->current_issuer
= best_crl_issuer
;
788 CRYPTO_add(&best_crl
->references
, 1, CRYPTO_LOCK_X509
);
794 static int crl_akid_check(X509_STORE_CTX
*ctx
, X509_CRL
*crl
, X509
**pissuer
)
797 int cidx
= ctx
->error_depth
;
800 if (cidx
!= sk_X509_num(ctx
->chain
) - 1)
802 crl_issuer
= sk_X509_value(ctx
->chain
, cidx
);
803 if (X509_check_akid(crl_issuer
, crl
->akid
) == X509_V_OK
)
805 /* If crl_issuer is self issued we may get a match further along the
808 if (crl_issuer
->ex_flags
& EXFLAG_SI
)
810 for (cidx
++; cidx
< sk_X509_num(ctx
->chain
); cidx
++)
812 crl_issuer
= sk_X509_value(ctx
->chain
, cidx
);
813 if (X509_check_akid(crl_issuer
, crl
->akid
) == X509_V_OK
)
815 *pissuer
= crl_issuer
;
818 if (!(crl_issuer
->ex_flags
& EXFLAG_SI
))
826 /* Check for match between two dist point names: three separate cases.
827 * 1. Both are relative names and compare X509_NAME types.
828 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
829 * 3. Both are full names and compare two GENERAL_NAMES.
833 static int idp_check_dp(DIST_POINT_NAME
*a
, DIST_POINT_NAME
*b
)
835 X509_NAME
*nm
= NULL
;
836 GENERAL_NAMES
*gens
= NULL
;
837 GENERAL_NAME
*gena
, *genb
;
843 /* Case 1: two X509_NAME */
848 if (!X509_NAME_cmp(a
->dpname
, b
->dpname
))
853 /* Case 2: set name and GENERAL_NAMES appropriately */
855 gens
= b
->name
.fullname
;
857 else if (b
->type
== 1)
861 /* Case 2: set name and GENERAL_NAMES appropriately */
862 gens
= a
->name
.fullname
;
866 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
869 for (i
= 0; i
< sk_GENERAL_NAME_num(gens
); i
++)
871 gena
= sk_GENERAL_NAME_value(gens
, i
);
872 if (gena
->type
!= GEN_DIRNAME
)
874 if (!X509_NAME_cmp(nm
, gena
->d
.directoryName
))
880 /* Else case 3: two GENERAL_NAMES */
882 for (i
= 0; i
< sk_GENERAL_NAME_num(a
->name
.fullname
); i
++)
884 gena
= sk_GENERAL_NAME_value(a
->name
.fullname
, i
);
885 for (j
= 0; j
< sk_GENERAL_NAME_num(b
->name
.fullname
); j
++)
887 genb
= sk_GENERAL_NAME_value(b
->name
.fullname
, j
);
888 if (!GENERAL_NAME_cmp(gena
, genb
))
897 /* Check IDP name matches at least one CRLDP name */
899 static int idp_check_scope(X509
*x
, X509_CRL
*crl
)
902 if (crl
->idp_flags
& IDP_ONLYATTR
)
904 if (x
->ex_flags
& EXFLAG_CA
)
906 if (crl
->idp_flags
& IDP_ONLYUSER
)
911 if (crl
->idp_flags
& IDP_ONLYCA
)
914 if (!crl
->idp
->distpoint
)
918 for (i
= 0; i
< sk_DIST_POINT_num(x
->crldp
); i
++)
920 DIST_POINT
*dp
= sk_DIST_POINT_value(x
->crldp
, i
);
921 /* We don't handle these at present */
922 if (dp
->reasons
|| dp
->CRLissuer
)
924 if (idp_check_dp(dp
->distpoint
, crl
->idp
->distpoint
))
930 /* Retrieve CRL corresponding to current certificate. Currently only
931 * one CRL is retrieved. Multiple CRLs may be needed if we handle
932 * CRLs partitioned on reason code later.
935 static int get_crl(X509_STORE_CTX
*ctx
, X509_CRL
**pcrl
, X509
*x
)
938 X509_CRL
*crl
= NULL
;
939 STACK_OF(X509_CRL
) *skcrl
;
941 nm
= X509_get_issuer_name(x
);
942 ok
= get_crl_sk(ctx
, &crl
, nm
, ctx
->crls
);
949 /* Lookup CRLs from store */
951 skcrl
= ctx
->lookup_crls(ctx
, nm
);
953 /* If no CRLs found and a near match from get_crl_sk use that */
964 get_crl_sk(ctx
, &crl
, NULL
, skcrl
);
966 sk_X509_CRL_pop_free(skcrl
, X509_CRL_free
);
968 /* If we got any kind of CRL use it and return success */
978 /* Check CRL validity */
979 static int check_crl(X509_STORE_CTX
*ctx
, X509_CRL
*crl
)
982 EVP_PKEY
*ikey
= NULL
;
983 int ok
= 0, chnum
, cnum
;
984 cnum
= ctx
->error_depth
;
985 chnum
= sk_X509_num(ctx
->chain
) - 1;
986 /* if we have an alternative CRL issuer cert use that */
987 if (ctx
->current_issuer
)
988 issuer
= ctx
->current_issuer
;
989 /* Else find CRL issuer: if not last certificate then issuer
990 * is next certificate in chain.
992 else if (cnum
< chnum
)
993 issuer
= sk_X509_value(ctx
->chain
, cnum
+ 1);
996 issuer
= sk_X509_value(ctx
->chain
, chnum
);
997 /* If not self signed, can't check signature */
998 if(!ctx
->check_issued(ctx
, issuer
, issuer
))
1000 ctx
->error
= X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
;
1001 ok
= ctx
->verify_cb(0, ctx
);
1008 /* Check for cRLSign bit if keyUsage present */
1009 if ((issuer
->ex_flags
& EXFLAG_KUSAGE
) &&
1010 !(issuer
->ex_kusage
& KU_CRL_SIGN
))
1012 ctx
->error
= X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
;
1013 ok
= ctx
->verify_cb(0, ctx
);
1017 if (crl
->idp_flags
& IDP_PRESENT
)
1019 if (crl
->idp_flags
& IDP_INVALID
)
1021 ctx
->error
= X509_V_ERR_INVALID_EXTENSION
;
1022 ok
= ctx
->verify_cb(0, ctx
);
1025 if (crl
->idp_flags
& (IDP_REASONS
|IDP_INDIRECT
))
1027 ctx
->error
= X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
;
1028 ok
= ctx
->verify_cb(0, ctx
);
1031 if (!idp_check_scope(ctx
->current_cert
, crl
))
1033 ctx
->error
= X509_V_ERR_DIFFERENT_CRL_SCOPE
;
1034 ok
= ctx
->verify_cb(0, ctx
);
1039 /* Attempt to get issuer certificate public key */
1040 ikey
= X509_get_pubkey(issuer
);
1044 ctx
->error
=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
;
1045 ok
= ctx
->verify_cb(0, ctx
);
1050 /* Verify CRL signature */
1051 if(X509_CRL_verify(crl
, ikey
) <= 0)
1053 ctx
->error
=X509_V_ERR_CRL_SIGNATURE_FAILURE
;
1054 ok
= ctx
->verify_cb(0, ctx
);
1060 ok
= check_crl_time(ctx
, crl
, 1);
1067 EVP_PKEY_free(ikey
);
1071 /* Check certificate against CRL */
1072 static int cert_crl(X509_STORE_CTX
*ctx
, X509_CRL
*crl
, X509
*x
)
1075 /* Look for serial number of certificate in CRL
1076 * If found assume revoked: want something cleverer than
1077 * this to handle entry extensions in V2 CRLs.
1079 if (X509_CRL_get0_by_serial(crl
, NULL
, X509_get_serialNumber(x
)) > 0)
1081 ctx
->error
= X509_V_ERR_CERT_REVOKED
;
1082 ok
= ctx
->verify_cb(0, ctx
);
1087 if (crl
->flags
& EXFLAG_CRITICAL
)
1089 if (ctx
->param
->flags
& X509_V_FLAG_IGNORE_CRITICAL
)
1091 ctx
->error
= X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
;
1092 ok
= ctx
->verify_cb(0, ctx
);
1100 static int check_policy(X509_STORE_CTX
*ctx
)
1103 ret
= X509_policy_check(&ctx
->tree
, &ctx
->explicit_policy
, ctx
->chain
,
1104 ctx
->param
->policies
, ctx
->param
->flags
);
1107 X509err(X509_F_CHECK_POLICY
,ERR_R_MALLOC_FAILURE
);
1110 /* Invalid or inconsistent extensions */
1113 /* Locate certificates with bad extensions and notify
1118 for (i
= 1; i
< sk_X509_num(ctx
->chain
); i
++)
1120 x
= sk_X509_value(ctx
->chain
, i
);
1121 if (!(x
->ex_flags
& EXFLAG_INVALID_POLICY
))
1123 ctx
->current_cert
= x
;
1124 ctx
->error
= X509_V_ERR_INVALID_POLICY_EXTENSION
;
1125 ret
= ctx
->verify_cb(0, ctx
);
1131 ctx
->current_cert
= NULL
;
1132 ctx
->error
= X509_V_ERR_NO_EXPLICIT_POLICY
;
1133 return ctx
->verify_cb(0, ctx
);
1136 if (ctx
->param
->flags
& X509_V_FLAG_NOTIFY_POLICY
)
1138 ctx
->current_cert
= NULL
;
1139 ctx
->error
= X509_V_OK
;
1140 if (!ctx
->verify_cb(2, ctx
))
1147 static int check_cert_time(X509_STORE_CTX
*ctx
, X509
*x
)
1152 if (ctx
->param
->flags
& X509_V_FLAG_USE_CHECK_TIME
)
1153 ptime
= &ctx
->param
->check_time
;
1157 i
=X509_cmp_time(X509_get_notBefore(x
), ptime
);
1160 ctx
->error
=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
;
1161 ctx
->current_cert
=x
;
1162 if (!ctx
->verify_cb(0, ctx
))
1168 ctx
->error
=X509_V_ERR_CERT_NOT_YET_VALID
;
1169 ctx
->current_cert
=x
;
1170 if (!ctx
->verify_cb(0, ctx
))
1174 i
=X509_cmp_time(X509_get_notAfter(x
), ptime
);
1177 ctx
->error
=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
;
1178 ctx
->current_cert
=x
;
1179 if (!ctx
->verify_cb(0, ctx
))
1185 ctx
->error
=X509_V_ERR_CERT_HAS_EXPIRED
;
1186 ctx
->current_cert
=x
;
1187 if (!ctx
->verify_cb(0, ctx
))
1194 static int internal_verify(X509_STORE_CTX
*ctx
)
1198 EVP_PKEY
*pkey
=NULL
;
1199 int (*cb
)(int xok
,X509_STORE_CTX
*xctx
);
1203 n
=sk_X509_num(ctx
->chain
);
1204 ctx
->error_depth
=n
-1;
1206 xi
=sk_X509_value(ctx
->chain
,n
);
1208 if (ctx
->check_issued(ctx
, xi
, xi
))
1214 ctx
->error
=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
;
1215 ctx
->current_cert
=xi
;
1223 xs
=sk_X509_value(ctx
->chain
,n
);
1227 /* ctx->error=0; not needed */
1233 if ((pkey
=X509_get_pubkey(xi
)) == NULL
)
1235 ctx
->error
=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
;
1236 ctx
->current_cert
=xi
;
1240 else if (X509_verify(xs
,pkey
) <= 0)
1241 /* XXX For the final trusted self-signed cert,
1242 * this is a waste of time. That check should
1243 * optional so that e.g. 'openssl x509' can be
1244 * used to detect invalid self-signatures, but
1245 * we don't verify again and again in SSL
1246 * handshakes and the like once the cert has
1247 * been declared trusted. */
1249 ctx
->error
=X509_V_ERR_CERT_SIGNATURE_FAILURE
;
1250 ctx
->current_cert
=xs
;
1254 EVP_PKEY_free(pkey
);
1258 EVP_PKEY_free(pkey
);
1264 ok
= check_cert_time(ctx
, xs
);
1268 /* The last error (if any) is still in the error value */
1269 ctx
->current_issuer
=xi
;
1270 ctx
->current_cert
=xs
;
1278 xs
=sk_X509_value(ctx
->chain
,n
);
1286 int X509_cmp_current_time(const ASN1_TIME
*ctm
)
1288 return X509_cmp_time(ctm
, NULL
);
1291 int X509_cmp_time(const ASN1_TIME
*ctm
, time_t *cmp_time
)
1296 char buff1
[24],buff2
[24],*p
;
1301 str
=(char *)ctm
->data
;
1302 if (ctm
->type
== V_ASN1_UTCTIME
)
1304 if ((i
< 11) || (i
> 17)) return 0;
1311 if (i
< 13) return 0;
1317 if ((*str
== 'Z') || (*str
== '-') || (*str
== '+'))
1318 { *(p
++)='0'; *(p
++)='0'; }
1323 /* Skip any fractional seconds... */
1327 while ((*str
>= '0') && (*str
<= '9')) str
++;
1338 if ((*str
!= '+') && (*str
!= '-'))
1340 offset
=((str
[1]-'0')*10+(str
[2]-'0'))*60;
1341 offset
+=(str
[3]-'0')*10+(str
[4]-'0');
1346 atm
.length
=sizeof(buff2
);
1347 atm
.data
=(unsigned char *)buff2
;
1349 if (X509_time_adj(&atm
,-offset
*60, cmp_time
) == NULL
)
1352 if (ctm
->type
== V_ASN1_UTCTIME
)
1354 i
=(buff1
[0]-'0')*10+(buff1
[1]-'0');
1355 if (i
< 50) i
+=100; /* cf. RFC 2459 */
1356 j
=(buff2
[0]-'0')*10+(buff2
[1]-'0');
1359 if (i
< j
) return -1;
1360 if (i
> j
) return 1;
1362 i
=strcmp(buff1
,buff2
);
1363 if (i
== 0) /* wait a second then return younger :-) */
1369 ASN1_TIME
*X509_gmtime_adj(ASN1_TIME
*s
, long adj
)
1371 return X509_time_adj(s
, adj
, NULL
);
1374 ASN1_TIME
*X509_time_adj(ASN1_TIME
*s
, long adj
, time_t *in_tm
)
1379 if (in_tm
) t
= *in_tm
;
1383 if (s
) type
= s
->type
;
1384 if (type
== V_ASN1_UTCTIME
) return ASN1_UTCTIME_set(s
,t
);
1385 if (type
== V_ASN1_GENERALIZEDTIME
) return ASN1_GENERALIZEDTIME_set(s
, t
);
1386 return ASN1_TIME_set(s
, t
);
1389 int X509_get_pubkey_parameters(EVP_PKEY
*pkey
, STACK_OF(X509
) *chain
)
1391 EVP_PKEY
*ktmp
=NULL
,*ktmp2
;
1394 if ((pkey
!= NULL
) && !EVP_PKEY_missing_parameters(pkey
)) return 1;
1396 for (i
=0; i
<sk_X509_num(chain
); i
++)
1398 ktmp
=X509_get_pubkey(sk_X509_value(chain
,i
));
1401 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS
,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY
);
1404 if (!EVP_PKEY_missing_parameters(ktmp
))
1408 EVP_PKEY_free(ktmp
);
1414 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS
,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN
);
1418 /* first, populate the other certs */
1419 for (j
=i
-1; j
>= 0; j
--)
1421 ktmp2
=X509_get_pubkey(sk_X509_value(chain
,j
));
1422 EVP_PKEY_copy_parameters(ktmp2
,ktmp
);
1423 EVP_PKEY_free(ktmp2
);
1426 if (pkey
!= NULL
) EVP_PKEY_copy_parameters(pkey
,ktmp
);
1427 EVP_PKEY_free(ktmp
);
1431 int X509_STORE_CTX_get_ex_new_index(long argl
, void *argp
, CRYPTO_EX_new
*new_func
,
1432 CRYPTO_EX_dup
*dup_func
, CRYPTO_EX_free
*free_func
)
1434 /* This function is (usually) called only once, by
1435 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1436 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX
, argl
, argp
,
1437 new_func
, dup_func
, free_func
);
1440 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX
*ctx
, int idx
, void *data
)
1442 return CRYPTO_set_ex_data(&ctx
->ex_data
,idx
,data
);
1445 void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX
*ctx
, int idx
)
1447 return CRYPTO_get_ex_data(&ctx
->ex_data
,idx
);
1450 int X509_STORE_CTX_get_error(X509_STORE_CTX
*ctx
)
1455 void X509_STORE_CTX_set_error(X509_STORE_CTX
*ctx
, int err
)
1460 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX
*ctx
)
1462 return ctx
->error_depth
;
1465 X509
*X509_STORE_CTX_get_current_cert(X509_STORE_CTX
*ctx
)
1467 return ctx
->current_cert
;
1470 STACK_OF(X509
) *X509_STORE_CTX_get_chain(X509_STORE_CTX
*ctx
)
1475 STACK_OF(X509
) *X509_STORE_CTX_get1_chain(X509_STORE_CTX
*ctx
)
1479 STACK_OF(X509
) *chain
;
1480 if (!ctx
->chain
|| !(chain
= sk_X509_dup(ctx
->chain
))) return NULL
;
1481 for (i
= 0; i
< sk_X509_num(chain
); i
++)
1483 x
= sk_X509_value(chain
, i
);
1484 CRYPTO_add(&x
->references
, 1, CRYPTO_LOCK_X509
);
1489 void X509_STORE_CTX_set_cert(X509_STORE_CTX
*ctx
, X509
*x
)
1494 void X509_STORE_CTX_set_chain(X509_STORE_CTX
*ctx
, STACK_OF(X509
) *sk
)
1499 void X509_STORE_CTX_set0_crls(X509_STORE_CTX
*ctx
, STACK_OF(X509_CRL
) *sk
)
1504 int X509_STORE_CTX_set_purpose(X509_STORE_CTX
*ctx
, int purpose
)
1506 return X509_STORE_CTX_purpose_inherit(ctx
, 0, purpose
, 0);
1509 int X509_STORE_CTX_set_trust(X509_STORE_CTX
*ctx
, int trust
)
1511 return X509_STORE_CTX_purpose_inherit(ctx
, 0, 0, trust
);
1514 /* This function is used to set the X509_STORE_CTX purpose and trust
1515 * values. This is intended to be used when another structure has its
1516 * own trust and purpose values which (if set) will be inherited by
1517 * the ctx. If they aren't set then we will usually have a default
1518 * purpose in mind which should then be used to set the trust value.
1519 * An example of this is SSL use: an SSL structure will have its own
1520 * purpose and trust settings which the application can set: if they
1521 * aren't set then we use the default of SSL client/server.
1524 int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX
*ctx
, int def_purpose
,
1525 int purpose
, int trust
)
1528 /* If purpose not set use default */
1529 if (!purpose
) purpose
= def_purpose
;
1530 /* If we have a purpose then check it is valid */
1534 idx
= X509_PURPOSE_get_by_id(purpose
);
1537 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT
,
1538 X509_R_UNKNOWN_PURPOSE_ID
);
1541 ptmp
= X509_PURPOSE_get0(idx
);
1542 if (ptmp
->trust
== X509_TRUST_DEFAULT
)
1544 idx
= X509_PURPOSE_get_by_id(def_purpose
);
1547 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT
,
1548 X509_R_UNKNOWN_PURPOSE_ID
);
1551 ptmp
= X509_PURPOSE_get0(idx
);
1553 /* If trust not set then get from purpose default */
1554 if (!trust
) trust
= ptmp
->trust
;
1558 idx
= X509_TRUST_get_by_id(trust
);
1561 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT
,
1562 X509_R_UNKNOWN_TRUST_ID
);
1567 if (purpose
&& !ctx
->param
->purpose
) ctx
->param
->purpose
= purpose
;
1568 if (trust
&& !ctx
->param
->trust
) ctx
->param
->trust
= trust
;
1572 X509_STORE_CTX
*X509_STORE_CTX_new(void)
1574 X509_STORE_CTX
*ctx
;
1575 ctx
= (X509_STORE_CTX
*)OPENSSL_malloc(sizeof(X509_STORE_CTX
));
1578 X509err(X509_F_X509_STORE_CTX_NEW
,ERR_R_MALLOC_FAILURE
);
1581 memset(ctx
, 0, sizeof(X509_STORE_CTX
));
1585 void X509_STORE_CTX_free(X509_STORE_CTX
*ctx
)
1587 X509_STORE_CTX_cleanup(ctx
);
1591 int X509_STORE_CTX_init(X509_STORE_CTX
*ctx
, X509_STORE
*store
, X509
*x509
,
1592 STACK_OF(X509
) *chain
)
1596 ctx
->current_method
=0;
1598 ctx
->untrusted
=chain
;
1600 ctx
->last_untrusted
=0;
1601 ctx
->other_ctx
=NULL
;
1605 ctx
->explicit_policy
=0;
1607 ctx
->current_cert
=NULL
;
1608 ctx
->current_issuer
=NULL
;
1611 ctx
->param
= X509_VERIFY_PARAM_new();
1615 X509err(X509_F_X509_STORE_CTX_INIT
,ERR_R_MALLOC_FAILURE
);
1619 /* Inherit callbacks and flags from X509_STORE if not set
1625 ret
= X509_VERIFY_PARAM_inherit(ctx
->param
, store
->param
);
1627 ctx
->param
->flags
|= X509_VP_FLAG_DEFAULT
|X509_VP_FLAG_ONCE
;
1631 ctx
->verify_cb
= store
->verify_cb
;
1632 ctx
->cleanup
= store
->cleanup
;
1638 ret
= X509_VERIFY_PARAM_inherit(ctx
->param
,
1639 X509_VERIFY_PARAM_lookup("default"));
1643 X509err(X509_F_X509_STORE_CTX_INIT
,ERR_R_MALLOC_FAILURE
);
1647 if (store
&& store
->check_issued
)
1648 ctx
->check_issued
= store
->check_issued
;
1650 ctx
->check_issued
= check_issued
;
1652 if (store
&& store
->get_issuer
)
1653 ctx
->get_issuer
= store
->get_issuer
;
1655 ctx
->get_issuer
= X509_STORE_CTX_get1_issuer
;
1657 if (store
&& store
->verify_cb
)
1658 ctx
->verify_cb
= store
->verify_cb
;
1660 ctx
->verify_cb
= null_callback
;
1662 if (store
&& store
->verify
)
1663 ctx
->verify
= store
->verify
;
1665 ctx
->verify
= internal_verify
;
1667 if (store
&& store
->check_revocation
)
1668 ctx
->check_revocation
= store
->check_revocation
;
1670 ctx
->check_revocation
= check_revocation
;
1672 if (store
&& store
->get_crl
)
1673 ctx
->get_crl
= store
->get_crl
;
1675 ctx
->get_crl
= get_crl
;
1677 if (store
&& store
->check_crl
)
1678 ctx
->check_crl
= store
->check_crl
;
1680 ctx
->check_crl
= check_crl
;
1682 if (store
&& store
->cert_crl
)
1683 ctx
->cert_crl
= store
->cert_crl
;
1685 ctx
->cert_crl
= cert_crl
;
1687 if (store
&& store
->lookup_certs
)
1688 ctx
->lookup_certs
= store
->lookup_certs
;
1690 ctx
->lookup_certs
= X509_STORE_get1_certs
;
1692 if (store
&& store
->lookup_crls
)
1693 ctx
->lookup_crls
= store
->lookup_crls
;
1695 ctx
->lookup_crls
= X509_STORE_get1_crls
;
1697 ctx
->check_policy
= check_policy
;
1700 /* This memset() can't make any sense anyway, so it's removed. As
1701 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
1702 * corresponding "new" here and remove this bogus initialisation. */
1703 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
1704 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX
, ctx
,
1708 X509err(X509_F_X509_STORE_CTX_INIT
,ERR_R_MALLOC_FAILURE
);
1714 /* Set alternative lookup method: just a STACK of trusted certificates.
1715 * This avoids X509_STORE nastiness where it isn't needed.
1718 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX
*ctx
, STACK_OF(X509
) *sk
)
1720 ctx
->other_ctx
= sk
;
1721 ctx
->get_issuer
= get_issuer_sk
;
1724 void X509_STORE_CTX_cleanup(X509_STORE_CTX
*ctx
)
1726 if (ctx
->cleanup
) ctx
->cleanup(ctx
);
1727 if (ctx
->param
!= NULL
)
1729 X509_VERIFY_PARAM_free(ctx
->param
);
1732 if (ctx
->tree
!= NULL
)
1734 X509_policy_tree_free(ctx
->tree
);
1737 if (ctx
->chain
!= NULL
)
1739 sk_X509_pop_free(ctx
->chain
,X509_free
);
1742 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX
, ctx
, &(ctx
->ex_data
));
1743 memset(&ctx
->ex_data
,0,sizeof(CRYPTO_EX_DATA
));
1746 void X509_STORE_CTX_set_depth(X509_STORE_CTX
*ctx
, int depth
)
1748 X509_VERIFY_PARAM_set_depth(ctx
->param
, depth
);
1751 void X509_STORE_CTX_set_flags(X509_STORE_CTX
*ctx
, unsigned long flags
)
1753 X509_VERIFY_PARAM_set_flags(ctx
->param
, flags
);
1756 void X509_STORE_CTX_set_time(X509_STORE_CTX
*ctx
, unsigned long flags
, time_t t
)
1758 X509_VERIFY_PARAM_set_time(ctx
->param
, t
);
1761 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX
*ctx
,
1762 int (*verify_cb
)(int, X509_STORE_CTX
*))
1764 ctx
->verify_cb
=verify_cb
;
1767 X509_POLICY_TREE
*X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX
*ctx
)
1772 int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX
*ctx
)
1774 return ctx
->explicit_policy
;
1777 int X509_STORE_CTX_set_default(X509_STORE_CTX
*ctx
, const char *name
)
1779 const X509_VERIFY_PARAM
*param
;
1780 param
= X509_VERIFY_PARAM_lookup(name
);
1783 return X509_VERIFY_PARAM_inherit(ctx
->param
, param
);
1786 X509_VERIFY_PARAM
*X509_STORE_CTX_get0_param(X509_STORE_CTX
*ctx
)
1791 void X509_STORE_CTX_set0_param(X509_STORE_CTX
*ctx
, X509_VERIFY_PARAM
*param
)
1794 X509_VERIFY_PARAM_free(ctx
->param
);
1798 IMPLEMENT_STACK_OF(X509
)
1799 IMPLEMENT_ASN1_SET_OF(X509
)
1801 IMPLEMENT_STACK_OF(X509_NAME
)
1803 IMPLEMENT_STACK_OF(X509_ATTRIBUTE
)
1804 IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE
)