366 /* Check that issuer public key algorithm matches subject signature algorithm */
367 static int check_sig_alg_match(const EVP_PKEY *issuer_key, const X509 *subject)
373     if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
545     /* Handle subject key identifier and issuer/authority key identifier */
554     /* Check if subject name matches issuer */
564     /* Handle subject alternative names and various other extensions */
895  * have been looked up using some simple method such as by subject name.
897  * 1. issuer_name(subject) == subject_name(issuer)
898  * 2. If akid(subject) exists, it matches the respective issuer fields.
899  * 3. subject signature algorithm == issuer public key algorithm
900  * 4. If key_usage(issuer) exists, it allows for signing subject.
905 int X509_check_issued(X509 *issuer, X509 *subject)
909     if ((ret = ossl_x509_likely_issued(issuer, subject)) != X509_V_OK)
911     return ossl_x509_signing_allowed(issuer, subject);
915 int ossl_x509_likely_issued(X509 *issuer, X509 *subject)
920                       X509_get_issuer_name(subject)) != 0)
923     /* set issuer->skid and subject->akid */
925             || !ossl_x509v3_cache_extensions(subject))
928     ret = X509_check_akid(issuer, subject->akid);
932     /* Check if the subject signature alg matches the issuer's PUBKEY alg */
933     return check_sig_alg_match(X509_get0_pubkey(issuer), subject);
937  * Check if certificate I<issuer> is allowed to issue certificate I<subject>
939  * depending on any proxyCertInfo extension of I<subject>.
943 int ossl_x509_signing_allowed(const X509 *issuer, const X509 *subject)
945     if (subject->ex_flags & EXFLAG_PROXY) {

Indexes created Sun Jun 23 19:15:37 MDT 2024