Initial chain verify code: not tested probably not working

 Changes between 0.9.4 and 0.9.5  [xx XXX 1999]

  *) Support for the authority information access extension. Not

     very well tested yet.

  *) Very preliminary certificate chain verify code. Currently just tests

     the untrusted certificates for consistency with the verify purpose

     (which is set when the X509_STORE_CTX structure is set up) and checks

     the pathlength. Totally untested at present: needs some extra

     functionality in the verify program first. There is a

     NO_CHAIN_VERIFY compilation option to keep the old behaviour: this is

     because when it is finally working it will reject chains with

     invalid extensions whereas before it made no checks at all.

     Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions

     which should be used for version portability: especially since the

     verify structure is likely to change more often now.

     [Steve Henson]

  *) Support for the authority information access extension.

     [Steve Henson]

  *) Modify RSA and DSA PEM read routines to transparently handle

	return(tmp);

	}

X509_STORE_CTX *X509_STORE_CTX_new(void)

{

	return (X509_STORE_CTX *)Malloc(sizeof(X509_STORE_CTX));

}

void X509_STORE_CTX_free(X509_STORE_CTX *ctx)

{

	X509_STORE_CTX_cleanup(ctx);

	Free(ctx);

}

void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,

	     STACK_OF(X509) *chain)

	{

	ctx->cert=x509;

	ctx->untrusted=chain;

	ctx->last_untrusted=0;

	ctx->chain_purpose=0;

	ctx->trust_purpose=0;

	ctx->valid=0;

	ctx->chain=NULL;

	ctx->depth=9;

		return("certificate chain too long");

	case X509_V_ERR_CERT_REVOKED:

		return("certificate revoked");

	case X509_V_ERR_INVALID_CA:

		return ("invalid CA certificate");

	case X509_V_ERR_PATH_LENGTH_EXCEEDED:

		return ("path length constraint exceeded");

	case X509_V_ERR_INVALID_PURPOSE:

		return ("unsupported certificate purpose");

	case X509_V_ERR_APPLICATION_VERIFICATION:

		return("application verification failure");

	default:

#include <openssl/evp.h>

#include <openssl/asn1.h>

#include <openssl/x509.h>

#include <openssl/x509v3.h>

#include <openssl/objects.h>

static int null_callback(int ok,X509_STORE_CTX *e);

static int check_chain_purpose(X509_STORE_CTX *ctx);

static int internal_verify(X509_STORE_CTX *ctx);

const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;

		if (!ok) goto end;

		}

	/* We have the chain complete: now we need to check its purpose */

	if(ctx->chain_purpose > 0) ok = check_chain_purpose(ctx);

	if(!ok) goto end;

	/* We may as well copy down any DSA parameters that are required */

	X509_get_pubkey_parameters(NULL,ctx->chain);

	return(ok);

	}

/* Check a certificate chains extensions for consistency

 * with the supplied purpose

 */

static int check_chain_purpose(X509_STORE_CTX *ctx)

{

#ifdef NO_CHAIN_VERIFY

	return 1;

#else

	int i, ok=0;

	X509 *x;

	int (*cb)();

	cb=ctx->ctx->verify_cb;

	if (cb == NULL) cb=null_callback;

	/* Check all untrusted certificates */

	for(i = 0; i < ctx->last_untrusted; i++) {

		x = sk_X509_value(ctx->chain, i);

		if(!X509_check_purpose(x, ctx->chain_purpose, i)) {

			if(i) ctx->error = X509_V_ERR_INVALID_CA;

			else ctx->error = X509_V_ERR_INVALID_PURPOSE;

			ctx->error_depth = i;

			ctx->current_cert = x;

			ok=cb(0,ctx);

			if(!ok) goto end;

		}

		/* Check pathlen */

		if((i > 1) && (x->ex_pathlen != -1)

					&& (i > (x->ex_pathlen + 1))) {

			ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;

			ctx->error_depth = i;

			ctx->current_cert = x;

			ok=cb(0,ctx);

			if(!ok) goto end;

		}

	}

	ok = 1;

	end:

	return(ok);

#endif

}

static int internal_verify(X509_STORE_CTX *ctx)

	{

	int i,ok=0,n;

	ctx->untrusted=sk;

	}

void X509_STORE_CTX_chain_purpose(X509_STORE_CTX *ctx, int purpose)

	{

	ctx->chain_purpose = purpose;

	}

void X509_STORE_CTX_trust_purpose(X509_STORE_CTX *ctx, int purpose)

	{

	ctx->trust_purpose = purpose;

	}

IMPLEMENT_STACK_OF(X509)

IMPLEMENT_ASN1_SET_OF(X509)

	/* The following are set by the caller */

	X509 *cert;		/* The cert to check */

	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */

	int chain_purpose;		/* purpose to check untrusted certificates */

	int trust_purpose;		/* trust setting to check */

	/* The following is built up */

	int depth;		/* how far to go looking up certs */

#define		X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE	21

#define		X509_V_ERR_CERT_CHAIN_TOO_LONG			22

#define		X509_V_ERR_CERT_REVOKED				23

#define		X509_V_ERR_INVALID_CA				24

#define		X509_V_ERR_PATH_LENGTH_EXCEEDED			25

#define		X509_V_ERR_INVALID_PURPOSE			26

/* The application is not happy */

#define		X509_V_ERR_APPLICATION_VERIFICATION		50

X509_STORE *X509_STORE_new(void );

void X509_STORE_free(X509_STORE *v);

X509_STORE_CTX *X509_STORE_CTX_new(void);

void X509_STORE_CTX_free(X509_STORE_CTX *ctx);

void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,

			 X509 *x509, STACK_OF(X509) *chain);

void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);

STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);

void	X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x);

void	X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk);

void X509_STORE_CTX_chain_purpose(X509_STORE_CTX *ctx, int purpose);

void X509_STORE_CTX_trust_purpose(X509_STORE_CTX *ctx, int purpose);

#ifdef  __cplusplus

}