- if (out_trusted != NULL
- && !OSSL_CMP_validate_cert_path(ctx, out_trusted, cert))
- fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData;
+ ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert");
+ chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq,
+ out_trusted /* may be NULL */,
+ ctx->untrusted, cert);
+ if (sk_X509_num(chain) > 0)
+ X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */
+ if (out_trusted != NULL) {
+ if (chain == NULL) {
+ ossl_cmp_err(ctx, "failed building chain for newly enrolled cert");
+ fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData;
+ } else {
+ ossl_cmp_debug(ctx,
+ "succeeded building proper chain for newly enrolled cert");
+ }
+ } else if (chain == NULL) {
+ ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts");
+ chain = OSSL_CMP_CTX_get1_extraCertsIn(ctx);
+ } else {
+ ossl_cmp_debug(ctx,
+ "success building approximate chain for newly enrolled cert");
+ }
+ (void)ossl_cmp_ctx_set1_newChain(ctx, chain);
+ sk_X509_pop_free(chain, X509_free);