146 static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
170 	ctx->current_cert = ctx->cert;
198 	X509 *x = ctx->cert;
244 	if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
249 	X509_up_ref(ctx->cert);
286 			 * If successful for now free up cert so it
294 		/* If we were passed a cert chain, use it first */
297 			 * If we do not find a non-expired untrusted cert, peek
299 			 * store. If not, see if we have an expired untrusted cert.
450 					 * Free up the found cert
588 	if (ctx->cert == NULL) {
596 		 * a cert. We cannot do another one.
624 	if (!check_key_level(ctx, ctx->cert) &&
625 	    !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL))
653 /* Given a STACK_OF(X509) find the issuer of cert (if any)
907 	 * standard (no issuer cert) etc errors to be indicated.
1258 	/* Check cert for matching CRL distribution points */
1564 	/* if we have an alternative CRL issuer cert use that */
1729  * If x is not NULL it is the error cert, otherwise use the chain cert
2128 	ctx->cert = x;
2261 	ctx->cert = leaf;
2420 	return ctx->cert;
2515  * Check whether the public key of |cert| meets the security level of |ctx|.
2520 check_key_level(X509_STORE_CTX *ctx, X509 *cert)
2526 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
2536  * Check whether the signature digest algorithm of |cert| meets the security
2542 check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
2547 	if ((nid = X509_get_signature_nid(cert)) == NID_undef)
2579 		X509 *cert = sk_X509_value(ctx->chain, i);
2586 			if (!check_key_level(ctx, cert) &&
2587 			    !verify_cb_cert(ctx, cert, i,
2599 		if (!check_sig_level(ctx, cert) &&
2600 		    !verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK))

Indexes created Mon Aug 12 20:48:49 MDT 2024