return 0;
}
+static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm)
+{
+ STACK_OF(X509) *sk = NULL;
+ X509 *x;
+ int i;
+ for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) {
+ x = sk_X509_value(ctx->other_ctx, i);
+ if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
+ if (sk == NULL)
+ sk = sk_X509_new_null();
+ if (sk == NULL || sk_X509_push(sk, x) == 0) {
+ sk_X509_pop_free(sk, X509_free);
+ return NULL;
+ }
+ X509_up_ref(x);
+ }
+ }
+ return sk;
+}
+
/*
* Check a certificate chains extensions for consistency with the supplied
* purpose
return X509_TRUST_UNTRUSTED;
}
- if (num_untrusted > num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
+ if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
/*
* Last-resort call with no new trusted certificates, check the leaf
* for a direct trust store match.
{
ctx->other_ctx = sk;
ctx->get_issuer = get_issuer_sk;
+ ctx->lookup_certs = lookup_certs_sk;
}
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
* Last chance to make a trusted chain, either bare DANE-TA public-key
* signers, or else direct leaf PKIX trust.
*/
- if (sk_X509_num(ctx->chain) <= depth) {
+ num = sk_X509_num(ctx->chain);
+ if (num <= depth) {
if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane))
trust = check_dane_pkeys(ctx);
- if (trust == X509_TRUST_UNTRUSTED &&
- sk_X509_num(ctx->chain) == ctx->num_untrusted)
- trust = check_trust(ctx, ctx->num_untrusted+1);
+ if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted)
+ trust = check_trust(ctx, num);
}
switch (trust) {
projects / openssl.git / blobdiff