26                             const OSSL_CMP_MSG *msg, X509 *cert)  in verify_signature()  argument
33     if (!ossl_assert(cmp_ctx != NULL && msg != NULL && cert != NULL))  in verify_signature()
40             && (X509_get_key_usage(cert) & X509v3_KU_DIGITAL_SIGNATURE) == 0) {  in verify_signature()
45     pubkey = X509_get_pubkey(cert);  in verify_signature()
63     res = ossl_x509_print_ex_brief(bio, cert, X509_FLAG_NO_EXTENSIONS);  in verify_signature()
100  * certs (possibly including CRLs and a cert verification callback function)
106                                 X509_STORE *trusted_store, X509 *cert)  in OSSL_CMP_validate_cert_path()  argument
112     if (ctx == NULL || cert == NULL) {  in OSSL_CMP_validate_cert_path()
124                                     cert, ctx->untrusted))  in OSSL_CMP_validate_cert_path()
174 /* Return 0 if skid != NULL and there is no matching subject key ID in cert */
198         ossl_cmp_log1(INFO, ctx, " cert Subject Key Identifier = %s", str);  in check_kid()
206 static int already_checked(const X509 *cert,  in already_checked()  argument
212         if (X509_cmp(sk_X509_value(already_checked, i - 1), cert) == 0)  in already_checked()
218  * Check if the given cert is acceptable as sender cert of the given message.
220  * and the cert must be current (checked if ctx->trusted is not NULL).
221  * Note that cert revocation etc. is checked by OSSL_CMP_validate_cert_path().
226                            const char *desc1, const char *desc2, X509 *cert,  in cert_acceptable()  argument
232     int self_issued = X509_check_issued(cert, cert) == X509_V_OK;  in cert_acceptable()
239     if ((str = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0)) != NULL)  in cert_acceptable()
243         str = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);  in cert_acceptable()
249     if (already_checked(cert, already_checked1)  in cert_acceptable()
250             || already_checked(cert, already_checked2)) {  in cert_acceptable()
251         ossl_cmp_info(ctx, " cert has already been checked");  in cert_acceptable()
255     time_cmp = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),  in cert_acceptable()
256                                   X509_get0_notAfter(cert));  in cert_acceptable()
258         ossl_cmp_warn(ctx, time_cmp > 0 ? "cert has expired"  in cert_acceptable()
259                                         : "cert is not yet valid");  in cert_acceptable()
264                     "cert subject", X509_get_subject_name(cert),  in cert_acceptable()
268     if (!check_kid(ctx, X509_get0_subject_key_id(cert), msg->header->senderKID))  in cert_acceptable()
271     if (!ossl_x509v3_cache_extensions(cert)) {  in cert_acceptable()
272         ossl_cmp_warn(ctx, "cert appears to be invalid");  in cert_acceptable()
275     if (!verify_signature(ctx, msg, cert)) {  in cert_acceptable()
280     ossl_cmp_info(ctx, " cert seems acceptable");  in cert_acceptable()
291                   "msg signature validates but cert path validation failed");  in check_cert_path()
299  * from extraCerts as trust anchor to validate sender cert -
320                       "also exceptional 3GPP mode cert path validation failed");  in check_cert_path_3gpp()
344 static int check_msg_given_cert(const OSSL_CMP_CTX *ctx, X509 *cert,  in check_msg_given_cert()  argument
347     return cert_acceptable(ctx, "previously validated", "sender cert",  in check_msg_given_cert()
348                            cert, NULL, NULL, msg)  in check_msg_given_cert()
349         && (check_cert_path(ctx, ctx->trusted, cert)  in check_msg_given_cert()
350             || check_cert_path_3gpp(ctx, msg, cert));  in check_msg_given_cert()
356  * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
374         X509 *cert = sk_X509_value(certs, i);  in check_msg_with_certs()  local
376         if (!ossl_assert(cert != NULL))  in check_msg_with_certs()
378         if (!cert_acceptable(ctx, "cert from", desc, cert,  in check_msg_with_certs()
382         if (mode_3gpp ? check_cert_path_3gpp(ctx, msg, cert)  in check_msg_with_certs()
383                       : check_cert_path(ctx, ctx->trusted, cert)) {  in check_msg_with_certs()
384             /* store successful sender cert for further msgs in transaction */  in check_msg_with_certs()
385             if (!X509_up_ref(cert))  in check_msg_with_certs()
387             if (!ossl_cmp_ctx_set0_validatedSrvCert(ctx, cert)) {  in check_msg_with_certs()
388                 X509_free(cert);  in check_msg_with_certs()
395         ossl_cmp_warn(ctx, "no acceptable cert in extraCerts");  in check_msg_with_certs()
402  * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
446  * Verify message signature with any acceptable and valid candidate cert.
447  * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
451     X509 *scrt = ctx->validatedSrvCert; /* previous successful sender cert */  in check_msg_find_cert()
483         /* cached sender cert has shown to be no more successfully usable */  in check_msg_find_cert()
487                       "trying to verify msg signature with previously validated cert");  in check_msg_find_cert()
499     /* failed finding a sender cert that verifies the message signature */  in check_msg_find_cert()
506         ossl_cmp_info(ctx, "trying to verify msg signature with a valid cert that..");  in check_msg_find_cert()
540  * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
623 …ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based …  in OSSL_CMP_validate_msg()
629         } else { /* use pinned sender cert */  in OSSL_CMP_validate_msg()