- // When we add CRLs, we have to be sure the nextUpdate hasn't passed, because OpenSSL won't accept
+ // When we add CRLs, we have to be sure the nextUpdate hasn't passed, because OpenSSL won't accept
// the CRL in that case. If we end up not adding a CRL for a particular link in the chain, the
// validation will fail (if the fullChain option was set).
set<string> crlissuers;
// the CRL in that case. If we end up not adding a CRL for a particular link in the chain, the
// validation will fail (if the fullChain option was set).
set<string> crlissuers;
// Do a second pass verify with CRLs in place. Reinitialize ctx, see
// https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=aae41f8c54257d9fa6904d3a9aa09c5db6cefd0d
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
// Do a second pass verify with CRLs in place. Reinitialize ctx, see
// https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=aae41f8c54257d9fa6904d3a9aa09c5db6cefd0d
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
- if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) {
- log_openssl();
- m_log.error("unable to initialize X509_STORE_CTX");
- ret = 0;
- }
+ if (X509_STORE_CTX_init(&ctx,store,EE,untrusted) != 1) {
+ log_openssl();
+ m_log.error("unable to initialize X509_STORE_CTX");
+ ret = 0;
+ }
- X509_STORE_CTX_init(&ctx,store,EE,untrusted);
+ X509_STORE_CTX_init(&ctx,store,EE,untrusted);
- if (ret != 0) {
- X509_STORE_CTX_trusted_stack(&ctx,CAstack);
- X509_STORE_CTX_set_depth(&ctx,100); // already checked above
- X509_STORE_CTX_set_verify_cb(&ctx,error_callback);
- if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN)
- X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
- else
- X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK);
- ret = X509_verify_cert(&ctx);
- }
+ if (ret != 0) {
+ X509_STORE_CTX_trusted_stack(&ctx,CAstack);
+ X509_STORE_CTX_set_depth(&ctx,100); // already checked above
+ X509_STORE_CTX_set_verify_cb(&ctx,error_callback);
+ if (pkixParams->getRevocationChecking() == PKIXPathValidatorParams::REVOCATION_FULLCHAIN)
+ X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ else
+ X509_STORE_CTX_set_flags(&ctx, X509_V_FLAG_CRL_CHECK);
+ ret = X509_verify_cert(&ctx);
+ }