Lines Matching refs:issuer
39 #define CRL_SCORE_ISSUER_CERT 0x018 /* CRL issuer is certificate issuer */
40 #define CRL_SCORE_SAME_PATH 0x008 /* CRL issuer is on certificate path */
41 #define CRL_SCORE_AKID 0x004 /* CRL issuer matches CRL AKID */
48 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
57 static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
90 * to match issuer and subject names (i.e., the cert being self-issued) and any
196 * check the security of issuer keys.
318 * Find in given STACK_OF(X509) |sk| an issuer cert (if any) of given cert |x|.
319 * The issuer must not yet be in |ctx->chain|, yet allowing the exception that
326 X509 *issuer, *rv = NULL;
329 issuer = sk_X509_value(sk, i);
330 if (ctx->check_issued(ctx, x, issuer)
332 || !sk_X509_contains(ctx->chain, issuer))) {
333 if (ossl_x509_check_cert_time(ctx, issuer, -1))
334 return issuer;
335 if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer),
337 rv = issuer;
343 /* Check that the given certificate 'x' is issued by the certificate 'issuer' */
344 static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
346 int err = ossl_x509_likely_issued(issuer, x);
351 * SUBJECT_ISSUER_MISMATCH just means 'x' is clearly not issued by 'issuer'.
361 static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
363 *issuer = find_issuer(ctx, ctx->other_ctx, x);
364 if (*issuer != NULL)
365 return X509_up_ref(*issuer) ? 1 : -1;
540 /* Check issuer is non-empty acc. to RFC 5280 section 4.1.2.4 */
661 * certificate subject MUST be the issuer with a single CN entry
681 * there is in issuer.
702 * all the previous RDNs match the issuer exactly
820 * Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2)
888 * standard (no issuer cert) etc errors to be indicated.
1196 * 'x'. The return value is a mask of several criteria. If the issuer is not
1197 * the certificate issuer this is returned in *pissuer. The reasons mask is
1224 /* If issuer name doesn't match certificate need indirect CRL */
1239 /* Check authority key ID and locate certificate issuer */
1242 /* If we can't locate certificate issuer at this point forget it */
1298 * Otherwise the CRL issuer is not on the path. Look for it in the set of
1314 * Check the path of a CRL issuer certificate. This creates a new
1337 /* Verify CRL issuer */
1488 X509 *issuer = NULL;
1497 &issuer, &crl_score, &reasons, ctx->crls);
1508 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1515 ctx->current_issuer = issuer;
1528 X509 *issuer = NULL;
1533 /* If we have an alternative CRL issuer cert use that */
1535 issuer = ctx->current_issuer;
1537 * Else find CRL issuer: if not last certificate then issuer is next
1541 issuer = sk_X509_value(ctx->chain, cnum + 1);
1543 issuer = sk_X509_value(ctx->chain, chnum);
1544 if (!ossl_assert(issuer != NULL))
1547 if (!ctx->check_issued(ctx, issuer, issuer) &&
1552 if (issuer == NULL)
1560 if ((issuer->ex_flags & EXFLAG_KUSAGE) != 0 &&
1561 (issuer->ex_kusage & KU_CRL_SIGN) == 0 &&
1583 /* Attempt to get issuer certificate public key */
1584 ikey = X509_get0_pubkey(issuer);
1742 * Verify the issuer signatures and cert times of ctx->chain.
1756 * We report the issuer as NULL because all we have is a bare key.
1786 * else the supposed issuer cert containing the public key to use
1799 * If the issuer's public key is not available or its key usage
1800 * does not support issuing the subject cert, report the issuer
2069 /* Set issuer name */
2974 * Get trusted issuer, without duplicate suppression
2977 static int get1_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
2983 ok = ctx->get_issuer(issuer, ctx, cert);
3056 * Try to extend the chain until we reach an ultimately trusted issuer.
3063 X509 *curr, *issuer = NULL;
3075 * not ultimately-trusted issuer. For example, with verify_depth = 0,
3076 * the callback will report errors at depth=1 when the immediate issuer
3078 * made to locate an issuer for that certificate, since such a chain
3086 * trusted issuer of an untrusted certificate that currently
3087 * has an untrusted issuer. We use the alt_untrusted variable
3104 ok = num > max_depth ? 0 : get1_trusted_issuer(&issuer, ctx, curr);
3116 X509_free(issuer);
3120 * Alternative trusted issuer for a mid-chain untrusted cert?
3135 X509_free(issuer);
3156 * trusted matching issuer. Otherwise, grow the chain.
3159 if (!sk_X509_push(ctx->chain, issuer)) {
3160 X509_free(issuer);
3163 if ((self_signed = X509_self_signed(issuer, 0)) < 0)
3172 if (X509_cmp(curr, issuer) != 0) {
3174 X509_free(issuer);
3176 } else { /* curr "==" issuer */
3179 (void)sk_X509_set(ctx->chain, num, issuer);
3215 /* Continue search for a trusted issuer of a shorter chain? */
3222 /* Search for a trusted issuer of a shorter chain */
3236 issuer = (X509_self_signed(curr, 0) > 0 || num > max_depth) ?
3238 if (issuer == NULL) {
3241 * or can't find an issuer in the untrusted list we stop looking
3250 /* Drop this issuer from future consideration */
3251 (void)sk_X509_delete_ptr(sk_untrusted, issuer);
3253 if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF))