Lines Matching defs:chain
150 * The error cert is |x| if not NULL, else defaults to the chain cert at depth.
160 ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
186 int num = sk_X509_num(ctx->chain);
192 X509 *cert = sk_X509_value(ctx->chain, i);
220 || (ok = X509_get_pubkey_parameters(NULL, ctx->chain) ? 1 : -1) <= 0
224 err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
228 /* Verify chain signatures and expiration times */
275 if (ctx->chain != NULL) {
285 if (!ossl_x509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) {
299 * so that the chain is not considered verified should the error be ignored
319 * The issuer must not yet be in |ctx->chain|, yet allowing the exception that
320 * |x| is self-issued and |ctx->chain| has just one element.
331 && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
332 || !sk_X509_contains(ctx->chain, issuer))) {
448 * Check extensions of a cert chain for consistency with the supplied purpose.
456 int purpose, allow_proxy_certs, num = sk_X509_num(ctx->chain);
465 * all certificates in the chain except the leaf certificate.
480 x = sk_X509_value(ctx->chain, i);
569 * this means not last cert in chain,
651 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
652 X509 *x = sk_X509_value(ctx->chain, i);
655 /* Ignore self-issued certs unless last in chain */
727 * Check against constraints for all certificates higher in chain
732 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
733 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
816 int num = sk_X509_num(ctx->chain);
830 * Check trusted certificates in chain at depth num_untrusted and up.
836 x = sk_X509_value(ctx->chain, i);
847 * the chain is PKIX trusted.
862 x = sk_X509_value(ctx->chain, i);
880 (void)sk_X509_set(ctx->chain, 0, mx);
887 * If no trusted certs in chain at all return untrusted and allow
915 last = sk_X509_num(ctx->chain) - 1;
937 X509 *x = sk_X509_value(ctx->chain, cnum);
1169 * retrieve a chain of deltas...
1269 if (cidx != sk_X509_num(ctx->chain) - 1)
1272 crl_issuer = sk_X509_value(ctx->chain, cidx);
1282 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
1283 crl_issuer = sk_X509_value(ctx->chain, cidx);
1342 /* Check chain is acceptable */
1343 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1531 int chnum = sk_X509_num(ctx->chain) - 1;
1538 * certificate in chain.
1541 issuer = sk_X509_value(ctx->chain, cnum + 1);
1543 issuer = sk_X509_value(ctx->chain, chnum);
1639 * certificate! In that case our chain does not have the trust anchor
1641 * chain verification, since there too, the trust anchor is not part of the
1642 * chain to be verified. In particular, X509_policy_check() does not look
1643 * at the TA cert, but assumes that it is present as the top-most chain
1644 * element. We therefore temporarily push a NULL cert onto the chain if it
1648 if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL))
1650 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1653 (void)sk_X509_pop(ctx->chain);
1662 for (i = 0; i < sk_X509_num(ctx->chain); i++) {
1663 X509 *x = sk_X509_value(ctx->chain, i);
1742 * Verify the issuer signatures and cert times of ctx->chain.
1747 int n = sk_X509_num(ctx->chain) - 1;
1748 X509 *xi = sk_X509_value(ctx->chain, n);
1760 /* exceptional case: last cert in the chain is not self-issued */
1765 xs = sk_X509_value(ctx->chain, n);
1787 * Initially xs == xi if the last cert in the chain is self-issued.
1811 * In case the 'issuing' certificate is the last in the chain and is
1847 xs = sk_X509_value(ctx->chain, n);
1982 /* Copy any missing public key parameters up the chain towards pkey */
1983 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1991 for (i = 0; i < sk_X509_num(chain); i++) {
1992 ktmp = X509_get0_pubkey(sk_X509_value(chain, i));
2008 ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j));
2169 return ctx->chain;
2174 if (ctx->chain == NULL)
2176 return X509_chain_up_ref(ctx->chain);
2324 STACK_OF(X509) *chain)
2334 ctx->untrusted = chain;
2339 ctx->chain = NULL;
2488 sk_X509_pop_free(ctx->chain, X509_free);
2489 ctx->chain = NULL;
2527 sk_X509_pop_free(ctx->chain, X509_free);
2528 ctx->chain = sk;
2713 * further PKIX-?? records, it remains to just build the PKIX chain.
2725 * We handle DANE-EE(3) records first as they require no chain building
2807 * full chain.
2844 cert = sk_X509_value(ctx->chain, depth);
2860 X509 *cert = sk_X509_value(ctx->chain, num - 1);
2872 /* Clear any PKIX-?? matches that failed to extend to a full chain */
2881 /* Prune any excess chain certificates */
2882 num = sk_X509_num(ctx->chain);
2884 X509_free(sk_X509_pop(ctx->chain));
2894 /* Reset state to verify another chain, or clear after failure. */
2935 if (done && !X509_get_pubkey_parameters(NULL, ctx->chain))
2968 * certificates happens in-line with building the rest of the chain.
2979 STACK_OF(X509) *saved_chain = ctx->chain;
2982 ctx->chain = NULL;
2984 ctx->chain = saved_chain;
2993 int num = sk_X509_num(ctx->chain);
3004 /* Our chain starts with a single untrusted element. */
3008 #define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */
3010 #define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */
3016 * and alternate chains are not disabled, try building an alternate chain
3056 * Try to extend the chain until we reach an ultimately trusted issuer.
3065 num = sk_X509_num(ctx->chain);
3070 * reach the depth limit, we stop extending the chain, if by that point
3071 * we've not found a trust anchor, any trusted chain would be too long.
3078 * made to locate an issuer for that certificate, since such a chain
3085 * As high up the chain as we can, look for an alternative
3088 * to track how far up the chain we find the first match. It
3089 * is only if and when we find a match, that we prune the chain
3093 * wise to preemptively modify either the chain or
3101 curr = sk_X509_value(ctx->chain, i - 1);
3120 * Alternative trusted issuer for a mid-chain untrusted cert?
3122 * be able to complete a valid chain via the trust store. Note
3124 * fail complete the chain to a suitable trust anchor, in which
3127 * again with an even shorter untrusted chain!
3140 X509_free(sk_X509_pop(ctx->chain));
3156 * trusted matching issuer. Otherwise, grow the chain.
3159 if (!sk_X509_push(ctx->chain, issuer)) {
3179 (void)sk_X509_set(ctx->chain, num, issuer);
3184 * We've added a new trusted certificate to the chain, re-check
3187 * look for untrusted certificates from the peer's chain.
3212 * and trying to extend the shorted chain.
3215 /* Continue search for a trusted issuer of a shorter chain? */
3222 /* Search for a trusted issuer of a shorter chain */
3229 * Extend chain with peer-provided untrusted certificates
3232 num = sk_X509_num(ctx->chain);
3235 curr = sk_X509_value(ctx->chain, num - 1);
3253 if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF))
3270 * Last chance to make a trusted chain, either bare DANE-TA public-key
3273 num = sk_X509_num(ctx->chain);
3305 if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0) > 0)
3349 if (!ossl_x509_add_cert_new(&ctx->chain, target, X509_ADD_FLAG_UP_REF)) {
3359 if (sk_X509_num(ctx->chain) > 1 && !with_self_signed)
3361 if (!ossl_x509_add_certs_new(&result, ctx->chain, flags)) {