- {
- X509_NAME *xn;
- X509_OBJECT obj, *pobj;
- int i, ok, idx, ret;
- *issuer = NULL;
- xn=X509_get_issuer_name(x);
- ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
- if (ok != X509_LU_X509)
- {
- if (ok == X509_LU_RETRY)
- {
- X509_OBJECT_free_contents(&obj);
- X509err(X509_F_X509_STORE_CTX_GET1_ISSUER,X509_R_SHOULD_RETRY);
- return -1;
- }
- else if (ok != X509_LU_FAIL)
- {
- X509_OBJECT_free_contents(&obj);
- /* not good :-(, break anyway */
- return -1;
- }
- return 0;
- }
- /* If certificate matches all OK */
- if (ctx->check_issued(ctx, x, obj.data.x509))
- {
- if (x509_check_cert_time(ctx, obj.data.x509, 1))
- {
- *issuer = obj.data.x509;
- return 1;
- }
- }
- X509_OBJECT_free_contents(&obj);
-
- /* Else find index of first cert accepted by 'check_issued' */
- ret = 0;
- CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
- idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
- if (idx != -1) /* should be true as we've had at least one match */
- {
- /* Look through all matching certs for suitable issuer */
- for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
- {
- pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
- /* See if we've run past the matches */
- if (pobj->type != X509_LU_X509)
- break;
- if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
- break;
- if (ctx->check_issued(ctx, x, pobj->data.x509))
- {
- *issuer = pobj->data.x509;
- ret = 1;
- /*
- * If times check, exit with match,
- * otherwise keep looking. Leave last
- * match in issuer so we return nearest
- * match if no certificate time is OK.
- */
-
- if (x509_check_cert_time(ctx, *issuer, 1))
- break;
- }
- }
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
- if (*issuer)
- CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
- return ret;
- }
+{
+ X509_NAME *xn;
+ X509_OBJECT obj, *pobj;
+ int i, ok, idx, ret;
+ *issuer = NULL;
+ xn = X509_get_issuer_name(x);
+ ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj);
+ if (ok != X509_LU_X509) {
+ if (ok == X509_LU_RETRY) {
+ X509_OBJECT_free_contents(&obj);
+ X509err(X509_F_X509_STORE_CTX_GET1_ISSUER, X509_R_SHOULD_RETRY);
+ return -1;
+ } else if (ok != X509_LU_FAIL) {
+ X509_OBJECT_free_contents(&obj);
+ /* not good :-(, break anyway */
+ return -1;
+ }
+ return 0;
+ }
+ /* If certificate matches all OK */
+ if (ctx->check_issued(ctx, x, obj.data.x509)) {
+ if (x509_check_cert_time(ctx, obj.data.x509, 1)) {
+ *issuer = obj.data.x509;
+ return 1;
+ }
+ }
+ X509_OBJECT_free_contents(&obj);
+
+ /* Else find index of first cert accepted by 'check_issued' */
+ ret = 0;
+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+ idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
+ if (idx != -1) { /* should be true as we've had at least one
+ * match */
+ /* Look through all matching certs for suitable issuer */
+ for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
+ pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+ /* See if we've run past the matches */
+ if (pobj->type != X509_LU_X509)
+ break;
+ if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
+ break;
+ if (ctx->check_issued(ctx, x, pobj->data.x509)) {
+ *issuer = pobj->data.x509;
+ ret = 1;
+ /*
+ * If times check, exit with match,
+ * otherwise keep looking. Leave last
+ * match in issuer so we return nearest
+ * match if no certificate time is OK.
+ */
+
+ if (x509_check_cert_time(ctx, *issuer, 1))
+ break;
+ }
+ }
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+ if (*issuer)
+ CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
+ return ret;
+}