void
openssl_time_callback (const SSL* ssl, int where, int ret)
{
if (where == SSL_CB_CONNECT_LOOP &&
(ssl->state == SSL3_ST_CR_SRVR_HELLO_A || ssl->state == SSL3_ST_CR_SRVR_HELLO_B))
{
// XXX TODO: If we want to trust the remote system for time,
// can we just read that time out of the remote system and if the
// cert verifies, decide that the time is reasonable?
// Such a process seems to indicate that a once valid cert would be
// forever valid - we stopgap that by ensuring it isn't less than
// the latest compiled_time and isn't above max_reasonable_time...
// XXX TODO: Solve eternal question about the Chicken and the Egg...
uint32_t compiled_time = RECENT_COMPILE_DATE;
uint32_t max_reasonable_time = MAX_REASONABLE_TIME;
uint32_t server_time;
verb("V: freezing time for x509 verification");
memcpy(&server_time, ssl->s3->server_random, sizeof(uint32_t));
if (compiled_time < ntohl(server_time)
&&
ntohl(server_time) < max_reasonable_time)
{
verb("V: remote peer provided: %d, preferred over compile time: %d",
ntohl(server_time), compiled_time);
verb("V: freezing time with X509_VERIFY_PARAM_set_time");
X509_VERIFY_PARAM_set_time(ssl->ctx->cert_store->param,
(time_t) ntohl(server_time) + 86400);
} else {
die("V: the remote server is a false ticker! server: %d compile: %d",
ntohl(server_time), compiled_time);
}
}
}
int
mono_btls_x509_verify_param_set_time (MonoBtlsX509VerifyParam *param, long time)
{
if (!param->owns)
return -1;
X509_VERIFY_PARAM_set_time (param->param, time);
return 1;
}
bool bdoc::X509Cert::verify(X509_STORE* aStore, struct tm* tm) const
{
if (aStore == NULL) {
THROW_STACK_EXCEPTION("Invalid argument to verify");
}
X509_STORE* store = aStore;
X509_STORE** ppStore = NULL;
X509_STORE_scope xst(ppStore);
X509_STORE_CTX *csc = X509_STORE_CTX_new();
X509_STORE_CTX_scope csct(&csc);
if (csc == NULL) {
THROW_STACK_EXCEPTION("Failed to create X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error()));
}
X509* x = getX509();
X509_scope xt(&x);
if (!X509_STORE_CTX_init(csc, store, x, NULL)) {
THROW_STACK_EXCEPTION("Failed to init X509_STORE_CTX %s",ERR_reason_error_string(ERR_get_error()));
}
if (tm != NULL) {
time_t t = timegm(tm);
if (t == -1) {
THROW_STACK_EXCEPTION("Given time cannot be represented as calendar time");
}
X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(csc);
if (param == NULL) {
THROW_STACK_EXCEPTION("Failed to retrieve X509_STORE_CTX verification parameters %s",
ERR_reason_error_string(ERR_get_error()));
}
X509_VERIFY_PARAM_set_time(param, t);
}
int ok = X509_verify_cert(csc);
if (ok != 1) {
int err = X509_STORE_CTX_get_error(csc);
X509Cert cause(X509_STORE_CTX_get_current_cert (csc));
std::ostringstream s;
s << "Unable to verify " << cause.getSubject();
s << ". Cause: " << X509_verify_cert_error_string(err);
switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
{
THROW_STACK_EXCEPTION("Certificate issuer missing: %s", s.str().c_str());
}
default: THROW_STACK_EXCEPTION(s.str().c_str()); break;
}
}
return (ok == 1);
}
int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
{
int i;
ossl_intmax_t t = 0;
ASN1_OBJECT *otmp;
X509_PURPOSE *xptmp;
const X509_VERIFY_PARAM *vtmp;
assert(vpm != NULL);
assert(opt > OPT_V__FIRST);
assert(opt < OPT_V__LAST);
switch ((enum range)opt) {
case OPT_V__FIRST:
case OPT_V__LAST:
return 0;
case OPT_V_POLICY:
otmp = OBJ_txt2obj(opt_arg(), 0);
if (otmp == NULL) {
BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_add0_policy(vpm, otmp);
break;
case OPT_V_PURPOSE:
/* purpose name -> purpose index */
i = X509_PURPOSE_get_by_sname(opt_arg());
if (i < 0) {
BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
return 0;
}
/* purpose index -> purpose object */
xptmp = X509_PURPOSE_get0(i);
/* purpose object -> purpose value */
i = X509_PURPOSE_get_id(xptmp);
if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) {
BIO_printf(bio_err,
"%s: Internal error setting purpose %s\n",
prog, opt_arg());
return 0;
}
break;
case OPT_V_VERIFY_NAME:
vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
if (vtmp == NULL) {
BIO_printf(bio_err, "%s: Invalid verify name %s\n",
prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_set1(vpm, vtmp);
break;
case OPT_V_VERIFY_DEPTH:
i = atoi(opt_arg());
if (i >= 0)
X509_VERIFY_PARAM_set_depth(vpm, i);
break;
case OPT_V_VERIFY_AUTH_LEVEL:
i = atoi(opt_arg());
if (i >= 0)
X509_VERIFY_PARAM_set_auth_level(vpm, i);
break;
case OPT_V_ATTIME:
if (!opt_imax(opt_arg(), &t))
return 0;
if (t != (time_t)t) {
BIO_printf(bio_err, "%s: epoch time out of range %s\n",
prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_set_time(vpm, (time_t)t);
break;
case OPT_V_VERIFY_HOSTNAME:
if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0))
return 0;
break;
case OPT_V_VERIFY_EMAIL:
if (!X509_VERIFY_PARAM_set1_email(vpm, opt_arg(), 0))
return 0;
break;
case OPT_V_VERIFY_IP:
if (!X509_VERIFY_PARAM_set1_ip_asc(vpm, opt_arg()))
return 0;
break;
case OPT_V_IGNORE_CRITICAL:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
break;
case OPT_V_ISSUER_CHECKS:
/* NOP, deprecated */
break;
case OPT_V_CRL_CHECK:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
break;
case OPT_V_CRL_CHECK_ALL:
X509_VERIFY_PARAM_set_flags(vpm,
X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
break;
case OPT_V_POLICY_CHECK:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK);
break;
case OPT_V_EXPLICIT_POLICY:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXPLICIT_POLICY);
break;
case OPT_V_INHIBIT_ANY:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_ANY);
break;
case OPT_V_INHIBIT_MAP:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_MAP);
break;
case OPT_V_X509_STRICT:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_X509_STRICT);
break;
case OPT_V_EXTENDED_CRL:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXTENDED_CRL_SUPPORT);
break;
case OPT_V_USE_DELTAS:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_DELTAS);
break;
case OPT_V_POLICY_PRINT:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NOTIFY_POLICY);
break;
case OPT_V_CHECK_SS_SIG:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CHECK_SS_SIGNATURE);
break;
case OPT_V_TRUSTED_FIRST:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_TRUSTED_FIRST);
break;
case OPT_V_SUITEB_128_ONLY:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS_ONLY);
break;
case OPT_V_SUITEB_128:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS);
break;
case OPT_V_SUITEB_192:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_192_LOS);
break;
case OPT_V_PARTIAL_CHAIN:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
break;
case OPT_V_NO_ALT_CHAINS:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
break;
case OPT_V_NO_CHECK_TIME:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
break;
}
return 1;
}
int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
{
unsigned long ul;
int i;
ASN1_OBJECT *otmp;
X509_PURPOSE *xptmp;
const X509_VERIFY_PARAM *vtmp;
assert(vpm != NULL);
assert(opt > OPT_V__FIRST);
assert(opt < OPT_V__LAST);
switch ((enum range)opt) {
case OPT_V__FIRST:
case OPT_V__LAST:
return 0;
case OPT_V_POLICY:
otmp = OBJ_txt2obj(opt_arg(), 0);
if (otmp == NULL) {
BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_add0_policy(vpm, otmp);
break;
case OPT_V_PURPOSE:
i = X509_PURPOSE_get_by_sname(opt_arg());
if (i < 0) {
BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
return 0;
}
xptmp = X509_PURPOSE_get0(i);
i = X509_PURPOSE_get_id(xptmp);
X509_VERIFY_PARAM_set_purpose(vpm, i);
break;
case OPT_V_VERIFY_NAME:
vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
if (vtmp == NULL) {
BIO_printf(bio_err, "%s: Invalid verify name %s\n",
prog, opt_arg());
return 0;
}
X509_VERIFY_PARAM_set1(vpm, vtmp);
break;
case OPT_V_VERIFY_DEPTH:
i = atoi(opt_arg());
if (i >= 0)
X509_VERIFY_PARAM_set_depth(vpm, i);
break;
case OPT_V_ATTIME:
opt_ulong(opt_arg(), &ul);
if (ul)
X509_VERIFY_PARAM_set_time(vpm, (time_t)ul);
break;
case OPT_V_VERIFY_HOSTNAME:
if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0))
return 0;
break;
case OPT_V_VERIFY_EMAIL:
if (!X509_VERIFY_PARAM_set1_email(vpm, opt_arg(), 0))
return 0;
break;
case OPT_V_VERIFY_IP:
if (!X509_VERIFY_PARAM_set1_ip_asc(vpm, opt_arg()))
return 0;
break;
case OPT_V_IGNORE_CRITICAL:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
break;
case OPT_V_ISSUER_CHECKS:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
break;
case OPT_V_CRL_CHECK:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
break;
case OPT_V_CRL_CHECK_ALL:
X509_VERIFY_PARAM_set_flags(vpm,
X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
break;
case OPT_V_POLICY_CHECK:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK);
break;
case OPT_V_EXPLICIT_POLICY:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXPLICIT_POLICY);
break;
case OPT_V_INHIBIT_ANY:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_ANY);
break;
case OPT_V_INHIBIT_MAP:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_MAP);
break;
case OPT_V_X509_STRICT:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_X509_STRICT);
break;
case OPT_V_EXTENDED_CRL:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXTENDED_CRL_SUPPORT);
break;
case OPT_V_USE_DELTAS:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_DELTAS);
break;
case OPT_V_POLICY_PRINT:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NOTIFY_POLICY);
break;
case OPT_V_CHECK_SS_SIG:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CHECK_SS_SIGNATURE);
break;
case OPT_V_TRUSTED_FIRST:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_TRUSTED_FIRST);
break;
case OPT_V_SUITEB_128_ONLY:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS_ONLY);
break;
case OPT_V_SUITEB_128:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS);
break;
case OPT_V_SUITEB_192:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_192_LOS);
break;
case OPT_V_PARTIAL_CHAIN:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
break;
case OPT_V_NO_ALT_CHAINS:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
}
return 1;
}
/**
* xmlSecOpenSSLX509StoreVerify:
* @store: the pointer to X509 key data store klass.
* @certs: the untrusted certificates stack.
* @crls: the crls stack.
* @keyInfoCtx: the pointer to <dsig:KeyInfo/> element processing context.
*
* Verifies @certs list.
*
* Returns: pointer to the first verified certificate from @certs.
*/
X509*
xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* certs,
XMLSEC_STACK_OF_X509_CRL* crls, xmlSecKeyInfoCtx* keyInfoCtx) {
xmlSecOpenSSLX509StoreCtxPtr ctx;
STACK_OF(X509)* certs2 = NULL;
STACK_OF(X509_CRL)* crls2 = NULL;
X509 * res = NULL;
X509 * cert;
X509 * err_cert = NULL;
X509_STORE_CTX *xsc;
char buf[256];
int err = 0;
int i;
int ret;
xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecOpenSSLX509StoreId), NULL);
xmlSecAssert2(certs != NULL, NULL);
xmlSecAssert2(keyInfoCtx != NULL, NULL);
xsc = X509_STORE_CTX_new();
if(xsc == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "X509_STORE_CTX_new");
goto done;
}
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, NULL);
xmlSecAssert2(ctx->xst != NULL, NULL);
/* dup certs */
certs2 = sk_X509_dup(certs);
if(certs2 == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "sk_X509_dup");
goto done;
}
/* add untrusted certs from the store */
if(ctx->untrusted != NULL) {
for(i = 0; i < sk_X509_num(ctx->untrusted); ++i) {
ret = sk_X509_push(certs2, sk_X509_value(ctx->untrusted, i));
if(ret < 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "sk_X509_push");
goto done;
}
}
}
/* dup crls but remove all non-verified */
if(crls != NULL) {
crls2 = sk_X509_CRL_dup(crls);
if(crls2 == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store), "sk_X509_CRL_dup");
goto done;
}
for(i = 0; i < sk_X509_CRL_num(crls2); ) {
ret = xmlSecOpenSSLX509VerifyCRL(ctx->xst, sk_X509_CRL_value(crls2, i));
if(ret == 1) {
++i;
} else if(ret == 0) {
(void)sk_X509_CRL_delete(crls2, i);
} else {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"xmlSecOpenSSLX509VerifyCRL",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
}
}
/* remove all revoked certs */
for(i = 0; i < sk_X509_num(certs2);) {
cert = sk_X509_value(certs2, i);
if(crls2 != NULL) {
ret = xmlSecOpenSSLX509VerifyCertAgainstCrls(crls2, cert);
if(ret == 0) {
(void)sk_X509_delete(certs2, i);
continue;
} else if(ret != 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"xmlSecOpenSSLX509VerifyCertAgainstCrls",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
}
if(ctx->crls != NULL) {
ret = xmlSecOpenSSLX509VerifyCertAgainstCrls(ctx->crls, cert);
if(ret == 0) {
(void)sk_X509_delete(certs2, i);
continue;
} else if(ret != 1) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"xmlSecOpenSSLX509VerifyCertAgainstCrls",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
}
++i;
}
/* get one cert after another and try to verify */
for(i = 0; i < sk_X509_num(certs2); ++i) {
cert = sk_X509_value(certs2, i);
if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) {
ret = X509_STORE_CTX_init(xsc, ctx->xst, cert, certs2);
if(ret != 1) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_STORE_CTX_init");
goto done;
}
if(keyInfoCtx->certsVerificationTime > 0) {
X509_STORE_CTX_set_time(xsc, 0, keyInfoCtx->certsVerificationTime);
}
{
X509_VERIFY_PARAM * vpm = NULL;
unsigned long vpm_flags = 0;
vpm = X509_VERIFY_PARAM_new();
if(vpm == NULL) {
xmlSecOpenSSLError(xmlSecKeyDataStoreGetName(store),
"X509_VERIFY_PARAM_new");
goto done;
}
vpm_flags = X509_VERIFY_PARAM_get_flags(vpm);
vpm_flags &= (~X509_V_FLAG_CRL_CHECK);
if(keyInfoCtx->certsVerificationTime > 0) {
vpm_flags |= X509_V_FLAG_USE_CHECK_TIME;
X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime);
}
X509_VERIFY_PARAM_set_depth(vpm, keyInfoCtx->certsVerificationDepth);
X509_VERIFY_PARAM_set_flags(vpm, vpm_flags);
X509_STORE_CTX_set0_param(xsc, vpm);
}
ret = X509_verify_cert(xsc);
err_cert = X509_STORE_CTX_get_current_cert(xsc);
err = X509_STORE_CTX_get_error(xsc);
X509_STORE_CTX_cleanup (xsc);
if(ret == 1) {
res = cert;
goto done;
} else if(ret < 0) {
const char* err_msg;
buf[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf);
err_msg = X509_verify_cert_error_string(err);
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_verify_cert",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"subj=%s;err=%d;msg=%s",
xmlSecErrorsSafeString(buf),
err,
xmlSecErrorsSafeString(err_msg));
goto done;
} else if(ret == 0) {
const char* err_msg;
buf[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf);
err_msg = X509_verify_cert_error_string(err);
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
"X509_verify_cert",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"subj=%s;err=%d;msg=%s",
xmlSecErrorsSafeString(buf),
err,
xmlSecErrorsSafeString(err_msg));
}
}
}
/* if we came here then we found nothing. do we have any error? */
if((err != 0) && (err_cert != NULL)) {
const char* err_msg;
err_msg = X509_verify_cert_error_string(err);
switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof buf);
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
"err=%d;msg=%s;issuer=%s",
err,
xmlSecErrorsSafeString(err_msg),
xmlSecErrorsSafeString(buf));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_CERT_NOT_YET_VALID,
"err=%d;msg=%s", err,
xmlSecErrorsSafeString(err_msg));
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_CERT_HAS_EXPIRED,
"err=%d;msg=%s", err,
xmlSecErrorsSafeString(err_msg));
break;
default:
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
"err=%d;msg=%s", err,
xmlSecErrorsSafeString(err_msg));
}
}
done:
if(certs2 != NULL) {
sk_X509_free(certs2);
}
if(crls2 != NULL) {
sk_X509_CRL_free(crls2);
}
if(xsc != NULL) {
X509_STORE_CTX_free(xsc);
}
return(res);
}
