#define ns_reject(x, usage) \
(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-int X509_check_ca(X509 *x)
+static int check_ca(const X509 *x)
{
- if(!(x->ex_flags & EXFLAG_SET)) {
- CRYPTO_w_lock(CRYPTO_LOCK_X509);
- x509v3_cache_extensions(x);
- CRYPTO_w_unlock(CRYPTO_LOCK_X509);
- }
-
/* keyUsage if present should allow cert signing */
if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
if(x->ex_flags & EXFLAG_BCONS) {
}
}
+int X509_check_ca(X509 *x)
+{
+ if(!(x->ex_flags & EXFLAG_SET)) {
+ CRYPTO_w_lock(CRYPTO_LOCK_X509);
+ x509v3_cache_extensions(x);
+ CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+ }
+
+ return check_ca(x);
+}
+
/* Check SSL CA: common checks for SSL client and server */
static int check_ssl_ca(const X509 *x)
{
int ca_ret;
- ca_ret = X509_check_ca(x);
+ ca_ret = check_ca(x);
if(!ca_ret) return 0;
/* check nsCertType if present */
if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
if(xku_reject(x,XKU_SMIME)) return 0;
if(ca) {
int ca_ret;
- ca_ret = X509_check_ca(x);
+ ca_ret = check_ca(x);
if(!ca_ret) return 0;
/* check nsCertType if present */
if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
{
if(ca) {
int ca_ret;
- if((ca_ret = X509_check_ca(x)) != 2) return ca_ret;
+ if((ca_ret = check_ca(x)) != 2) return ca_ret;
else return 0;
}
if(ku_reject(x, KU_CRL_SIGN)) return 0;
{
/* Must be a valid CA. Should we really support the "I don't know"
value (2)? */
- if(ca) return X509_check_ca(x);
+ if(ca) return check_ca(x);
/* leaf certificate is checked in OCSP_verify() */
return 1;
}
projects / oweals / openssl.git / commitdiff