return ok;
}
-/* Return 1 is a certificate is self signed */
-static int cert_self_signed(X509 *x)
+/* Return 1 is a certificate is self signed, 0 if not, or -1 on error */
+static int cert_self_signed(X509_STORE_CTX *ctx, X509 *x)
{
- if (X509_check_purpose(x, -1, 0) != 1)
- return 0;
+ if (!X509v3_cache_extensions(x, ctx->libctx, ctx->propq))
+ return -1;
+
if (x->ex_flags & EXFLAG_SS)
return 1;
else
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
int ret;
- if (x == issuer)
- return cert_self_signed(x);
+ int ss;
+
+ if (x == issuer) {
+ ss = cert_self_signed(ctx, x);
+ if (ss < 0)
+ return 0;
+ return ss;
+ }
+
ret = X509_check_issued(issuer, x);
if (ret == X509_V_OK) {
int i;
X509 *ch;
+
+ ss = cert_self_signed(ctx, x);
+ if (ss < 0)
+ return 0;
+
/* Special case: single self signed certificate */
- if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1)
+ if (ss > 0 && sk_X509_num(ctx->chain) == 1)
return 1;
for (i = 0; i < sk_X509_num(ctx->chain); i++) {
ch = sk_X509_value(ctx->chain, i);
if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
return 0;
- } else if (X509_verify(xs, pkey) <= 0) {
+ } else if (X509_verify_ex(xs, pkey, ctx->libctx, ctx->propq) <= 0) {
if (!verify_cb_cert(ctx, xs, n,
X509_V_ERR_CERT_SIGNATURE_FAILURE))
return 0;
if (t->usage != DANETLS_USAGE_DANE_TA ||
t->selector != DANETLS_SELECTOR_SPKI ||
t->mtype != DANETLS_MATCHING_FULL ||
- X509_verify(cert, t->spki) <= 0)
+ X509_verify_ex(cert, t->spki, ctx->libctx, ctx->propq) <= 0)
continue;
/* Clear any PKIX-?? matches that failed to extend to a full chain */
SSL_DANE *dane = ctx->dane;
int num = sk_X509_num(ctx->chain);
X509 *cert = sk_X509_value(ctx->chain, num - 1);
- int ss = cert_self_signed(cert);
+ int ss;
STACK_OF(X509) *sktmp = NULL;
unsigned int search;
int may_trusted = 0;
return 0;
}
+ ss = cert_self_signed(ctx, cert);
+ if (ss < 0) {
+ X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
+
#define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */
#define S_DOTRUSTED (1 << 1) /* Search trusted store */
#define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */
search = 0;
continue;
}
- ss = cert_self_signed(x);
+ ss = cert_self_signed(ctx, x);
+ if (ss < 0) {
+ X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
} else if (num == ctx->num_untrusted) {
/*
* We have a self-signed certificate that has the same
X509_up_ref(x = xtmp);
++ctx->num_untrusted;
- ss = cert_self_signed(xtmp);
+ ss = cert_self_signed(ctx, xtmp);
+ if (ss < 0) {
+ X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return 0;
+ }
/*
* Check for DANE-TA trust of the topmost untrusted certificate.
projects / openssl.git / blobdiff