xref: /third_party/openssl/crypto/x509/x509_vfy.c

59 static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
60 static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
61 static int check_curve(X509 *cert);
87  * Return 1 if given cert is considered self-signed, 0 if not, or -1 on error.
90  * to match issuer and subject names (i.e., the cert being self-issued) and any
93 int X509_self_signed(X509 *cert, int verify_signature)
97     if ((pkey = X509_get0_pubkey(cert)) == NULL) { /* handles cert == NULL */
101     if (!ossl_x509v3_cache_extensions(cert))
103     if ((cert->ex_flags & EXFLAG_SS) == 0)
107     return X509_verify(cert, pkey);
150  * The error cert is |x| if not NULL, else defaults to the chain cert at depth.
166 #define CB_FAIL_IF(cond, ctx, cert, depth, err) \
167     if ((cond) && verify_cb_cert(ctx, cert, depth, err) == 0) \
192         X509 *cert = sk_X509_value(ctx->chain, i);
198         CB_FAIL_IF(i > 0 && !check_key_level(ctx, cert),
199                    ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL);
204         CB_FAIL_IF(i < num - 1 && !check_sig_level(ctx, cert),
205                    ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK);
256     if (ctx->cert == NULL && sk_X509_num(ctx->untrusted) >= 1)
257         ctx->cert = sk_X509_value(ctx->untrusted, 0);
269     if (ctx->cert == NULL) {
277          * This X509_STORE_CTX has already been used to verify a cert. We
285     if (!ossl_x509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) {
292     CB_FAIL_IF(!check_key_level(ctx, ctx->cert),
293                ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL);
307 static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
312         if (X509_cmp(sk_X509_value(sk, i), cert) == 0)
318  * Find in given STACK_OF(X509) |sk| an issuer cert (if any) of given cert |x|.
448  * Check extensions of a cert chain for consistency with the supplied purpose.
569                                         * this means not last cert in chain,
767     return verify_cb_cert(ctx, ctx->cert, 0, errcode);
791     X509 *x = ctx->cert;
888      * standard (no issuer cert) etc errors to be indicated.
1246     /* Check cert for matching CRL distribution points */
1533     /* If we have an alternative CRL issuer cert use that */
1643      * at the TA cert, but assumes that it is present as the top-most chain
1644      * element.  We therefore temporarily push a NULL cert onto the chain if it
1742  * Verify the issuer signatures and cert times of ctx->chain.
1760                /* exceptional case: last cert in the chain is not self-issued */
1784          * xs is the subject cert, for which the signature is to be checked
1786          *       else the supposed issuer cert containing the public key to use
1787          * Initially xs == xi if the last cert in the chain is self-issued.
1800              * does not support issuing the subject cert, report the issuer
1801              * cert and its depth (rather than n, the depth of the subject).
1806              * step (n) we must check any given key usage extension in a CA cert
1812              * not a CA certificate but a 'self-issued' end-entity cert (i.e.,
1830         /* In addition to RFC 5280 requirements do also for trust anchor cert */
2196     ctx->cert = x;
2333     ctx->cert = x509;
2512     return ctx->cert;
2654 static unsigned char *dane_i2d(X509 *cert, uint8_t selector,
2665         len = i2d_X509(cert, &buf);
2668         len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf);
2687 static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
2764             i2dbuf = dane_i2d(cert, selector, &i2dlen);
2817                 dane->mcert = cert;
2818                 X509_up_ref(cert);
2834     X509 *cert;
2844     cert = sk_X509_value(ctx->chain, depth);
2845     if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)
2860     X509 *cert = sk_X509_value(ctx->chain, num - 1);
2869             X509_verify(cert, t->spki) <= 0)
2902 static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert)
2904     int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags);
2906     CB_FAIL_IF(err != X509_V_OK, ctx, cert, 0, err);
2913     X509 *cert = ctx->cert;
2932     matched = dane_match(ctx, ctx->cert, 0);
2940         if (!check_leaf_suiteb(ctx, cert))
2948         ctx->current_cert = cert;
2954         ctx->current_cert = cert;
2961         if (!check_leaf_suiteb(ctx, cert))
2963         return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH);
2977 static int get1_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
2983     ok = ctx->get_issuer(issuer, ctx, cert);
3120                  * Alternative trusted issuer for a mid-chain untrusted cert?
3121                  * Pop the untrusted cert's successors and retry.  We might now
3240                  * Once we have reached a self-signed cert or num > max_depth
3379  * Check whether the public key of `cert` meets the security level of `ctx`.
3382 static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
3384     EVP_PKEY *pkey = X509_get0_pubkey(cert);
3407  * Check whether the public key of ``cert`` does not use explicit params
3412 static int check_curve(X509 *cert)
3414     EVP_PKEY *pkey = X509_get0_pubkey(cert);
3433  * Check whether the signature digest algorithm of ``cert`` meets the security
3439 static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
3449     if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))

Indexes created Thu Nov 07 10:32:03 CST 2024