Lines Matching refs:trust

202          * except those of the trust anchor at index num-1.
397  * auxiliary trust can be used to override EKU-restrictions.
406      * For trusted certificates we want to see whether any auxiliary trust
409      * This is complicated by the fact that the trust ordinals in
410      * ctx->param->trust are entirely independent of the purpose ordinals in
415      * related values of both param->trust and param->purpose.  It is however
416      * typically possible to infer associated trust values from a purpose value
419      * Therefore, we can only check for trust overrides when the purpose we're
420      * checking is the same as ctx->param->purpose and ctx->param->trust is
424         tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT);
728          * including trust anchor. Trust anchor not strictly speaking needed
817     int trust;
824         trust = check_dane_issuer(ctx, num_untrusted);
825         if (trust != X509_TRUST_UNTRUSTED)
826             return trust;
837         trust = X509_check_trust(x, ctx->param->trust, 0);
839         if (trust == X509_TRUST_TRUSTED)
841         if (trust == X509_TRUST_REJECTED)
859          * for a direct trust store match.
870          * Check explicit auxiliary trust/reject settings.  If none are set,
873         trust = X509_check_trust(mx, ctx->param->trust, 0);
874         if (trust == X509_TRUST_REJECTED) {
1353  * strict and states that the two paths must end in the same trust anchor,
1638      * With DANE, the trust anchor might be a bare public key, not a
1639      * certificate!  In that case our chain does not have the trust anchor
1641      * chain verification, since there too, the trust anchor is not part of the
1830         /* In addition to RFC 5280 requirements do also for trust anchor cert */
2207      * XXX: Why isn't this function always used to set the associated trust?
2208      * Should there even be a VPM->trust field at all?  Or should the trust
2214 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
2218      * trust for the purpose needs an override in a corner case.
2220     return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
2224  * This function is used to set the X509_STORE_CTX purpose and trust values.
2225  * This is intended to be used when another structure has its own trust and
2228  * be used to set the trust value. An example of this is SSL use: an SSL
2229  * structure will have its own purpose and trust settings which the
2234                                    int purpose, int trust)
2257         if (ptmp->trust == X509_TRUST_DEFAULT) {
2265         /* If trust not set then get from purpose default */
2266         if (trust == 0)
2267             trust = ptmp->trust;
2269     if (trust != 0) {
2270         idx = X509_TRUST_get_by_id(trust);
2279     if (ctx->param->trust == 0 && trust != 0)
2280         ctx->param->trust = trust;
2432      * XXX: For now, continue to inherit trust from VPM, but infer from the
2435     if (ctx->param->trust == X509_TRUST_DEFAULT) {
2440             ctx->param->trust = X509_PURPOSE_get_trust(xp);
2707     /* The trust store is not applicable with DANE-TA(2) */
2840      * Record any DANE trust anchor matches, for the first depth to test, if
2924      * return value is 0, because we still need to find a PKIX trust anchor.
2998     int trust = X509_TRUST_UNTRUSTED;
3033      * If we got any "Cert(0) Full(0)" trust anchors from DNS, *prepend* them
3068          * Look in the trust store if enabled for first lookup, or we've run
3071          * we've not found a trust anchor, any trusted chain would be too long.
3077          * of the leaf certificate is not a trust anchor.  No attempt will be
3107                 trust = -1;
3122                  * be able to complete a valid chain via the trust store.  Note
3123                  * that despite the current trust store match we might still
3124                  * fail complete the chain to a suitable trust anchor, in which
3129                  * If in the process we threw away our matching PKIX-TA trust
3130                  * anchor, reset DANE trust.  We might find a suitable trusted
3131                  * certificate among the ones from the trust store.
3169                      * a trust anchor.  We must have an exact match to avoid
3185                  * trust.  If not done, and not self-signed look deeper.
3192                  * "the wire" from CAs from the trust store.  In particular, the
3200                     trust = check_trust(ctx, num);
3201                     if (trust != X509_TRUST_UNTRUSTED)
3242                  * there and start looking only in the trust store if enabled.
3258             /* Check for DANE-TA trust of the topmost untrusted certificate. */
3259             trust = check_dane_issuer(ctx, ctx->num_untrusted - 1);
3260             if (trust == X509_TRUST_TRUSTED || trust == X509_TRUST_REJECTED)
3266     if (trust < 0) /* internal error */
3267         return trust;
3271      * signers, or else direct leaf PKIX trust.
3275         if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane))
3276             trust = check_dane_pkeys(ctx);
3277         if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted)
3278             trust = check_trust(ctx, num);
3281     switch (trust) {
3434  * level of ``ctx``.  Should not be checked for trust anchors (whether