Lines Matching refs:cert
26 const OSSL_CMP_MSG *msg, X509 *cert)
33 if (!ossl_assert(cmp_ctx != NULL && msg != NULL && cert != NULL))
40 && (X509_get_key_usage(cert) & X509v3_KU_DIGITAL_SIGNATURE) == 0) {
45 pubkey = X509_get_pubkey(cert);
63 res = ossl_x509_print_ex_brief(bio, cert, X509_FLAG_NO_EXTENSIONS);
100 * certs (possibly including CRLs and a cert verification callback function)
106 X509_STORE *trusted_store, X509 *cert)
112 if (ctx == NULL || cert == NULL) {
124 cert, ctx->untrusted))
174 /* Return 0 if skid != NULL and there is no matching subject key ID in cert */
198 ossl_cmp_log1(INFO, ctx, " cert Subject Key Identifier = %s", str);
206 static int already_checked(const X509 *cert,
212 if (X509_cmp(sk_X509_value(already_checked, i - 1), cert) == 0)
218 * Check if the given cert is acceptable as sender cert of the given message.
220 * and the cert must be current (checked if ctx->trusted is not NULL).
221 * Note that cert revocation etc. is checked by OSSL_CMP_validate_cert_path().
226 const char *desc1, const char *desc2, X509 *cert,
232 int self_issued = X509_check_issued(cert, cert) == X509_V_OK;
239 if ((str = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0)) != NULL)
243 str = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
249 if (already_checked(cert, already_checked1)
250 || already_checked(cert, already_checked2)) {
251 ossl_cmp_info(ctx, " cert has already been checked");
255 time_cmp = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
256 X509_get0_notAfter(cert));
258 ossl_cmp_warn(ctx, time_cmp > 0 ? "cert has expired"
259 : "cert is not yet valid");
264 "cert subject", X509_get_subject_name(cert),
268 if (!check_kid(ctx, X509_get0_subject_key_id(cert), msg->header->senderKID))
271 if (!ossl_x509v3_cache_extensions(cert)) {
272 ossl_cmp_warn(ctx, "cert appears to be invalid");
275 if (!verify_signature(ctx, msg, cert)) {
280 ossl_cmp_info(ctx, " cert seems acceptable");
291 "msg signature validates but cert path validation failed");
299 * from extraCerts as trust anchor to validate sender cert -
320 "also exceptional 3GPP mode cert path validation failed");
344 static int check_msg_given_cert(const OSSL_CMP_CTX *ctx, X509 *cert,
347 return cert_acceptable(ctx, "previously validated", "sender cert",
348 cert, NULL, NULL, msg)
349 && (check_cert_path(ctx, ctx->trusted, cert)
350 || check_cert_path_3gpp(ctx, msg, cert));
356 * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
374 X509 *cert = sk_X509_value(certs, i);
376 if (!ossl_assert(cert != NULL))
378 if (!cert_acceptable(ctx, "cert from", desc, cert,
382 if (mode_3gpp ? check_cert_path_3gpp(ctx, msg, cert)
383 : check_cert_path(ctx, ctx->trusted, cert)) {
384 /* store successful sender cert for further msgs in transaction */
385 if (!X509_up_ref(cert))
387 if (!ossl_cmp_ctx_set0_validatedSrvCert(ctx, cert)) {
388 X509_free(cert);
395 ossl_cmp_warn(ctx, "no acceptable cert in extraCerts");
402 * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
446 * Verify message signature with any acceptable and valid candidate cert.
447 * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
451 X509 *scrt = ctx->validatedSrvCert; /* previous successful sender cert */
483 /* cached sender cert has shown to be no more successfully usable */
487 "trying to verify msg signature with previously validated cert");
499 /* failed finding a sender cert that verifies the message signature */
506 ossl_cmp_info(ctx, "trying to verify msg signature with a valid cert that..");
540 * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
623 ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
629 } else { /* use pinned sender cert */