/src/libressl/crypto/x509/x509_trs.c

Source (jump to first uncovered line)
/* $OpenBSD: x509_trs.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include <string.h>

#include <openssl/err.h>
#include <openssl/x509v3.h>

#include "x509_lcl.h"

static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b);
static void trtable_free(X509_TRUST *p);

static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
static int trust_compat(X509_TRUST *trust, X509 *x, int flags);

static int obj_trust(int id, X509 *x, int flags);
static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;

/* WARNING: the following table should be kept in order of trust
 * and without any gaps so we can just subtract the minimum trust
 * value to get an index into the table
 */

static X509_TRUST trstandard[] = {
  {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
  {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
  {X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
  {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
  {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
  {X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
  {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
  {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
};

#define X509_TRUST_COUNT  (sizeof(trstandard)/sizeof(X509_TRUST))

static STACK_OF(X509_TRUST) *trtable = NULL;

static int
tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b)
{
  return (*a)->trust - (*b)->trust;
}

int
(*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
{
  int (*oldtrust)(int , X509 *, int);

  oldtrust = default_trust;
  default_trust = trust;
  return oldtrust;
}

int
X509_check_trust(X509 *x, int id, int flags)
{
  X509_TRUST *pt;
  int idx;

  if (id == -1)
    return 1;
  /*
   * XXX beck/jsing This enables self signed certs to be trusted for
   * an unspecified id/trust flag value (this is NOT the
   * X509_TRUST_DEFAULT), which was the longstanding
   * openssl behaviour. boringssl does not have this behaviour.
   *
   * This should be revisited, but changing the default "not default"
   * may break things.
   */
  if (id == 0) {
    int rv;
    rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
    if (rv != X509_TRUST_UNTRUSTED)
      return rv;
    return trust_compat(NULL, x, 0);
  }
  idx = X509_TRUST_get_by_id(id);
  if (idx == -1)
    return default_trust(id, x, flags);
  pt = X509_TRUST_get0(idx);
  return pt->check_trust(pt, x, flags);
}

int
X509_TRUST_get_count(void)
{
  if (!trtable)
    return X509_TRUST_COUNT;
  return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
}

X509_TRUST *
X509_TRUST_get0(int idx)
{
  if (idx < 0)
    return NULL;
  if (idx < (int)X509_TRUST_COUNT)
    return trstandard + idx;
  return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
}

int
X509_TRUST_get_by_id(int id)
{
  X509_TRUST tmp;
  int idx;

  if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
    return id - X509_TRUST_MIN;
  tmp.trust = id;
  if (!trtable)
    return -1;
  idx = sk_X509_TRUST_find(trtable, &tmp);
  if (idx == -1)
    return -1;
  return idx + X509_TRUST_COUNT;
}

int
X509_TRUST_set(int *t, int trust)
{
  if (X509_TRUST_get_by_id(trust) == -1) {
    X509error(X509_R_INVALID_TRUST);
    return 0;
  }
  *t = trust;
  return 1;
}

int
X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
    const char *name, int arg1, void *arg2)
{
  int idx;
  X509_TRUST *trtmp;
  char *name_dup;

  /* This is set according to what we change: application can't set it */
  flags &= ~X509_TRUST_DYNAMIC;
  /* This will always be set for application modified trust entries */
  flags |= X509_TRUST_DYNAMIC_NAME;
  /* Get existing entry if any */
  idx = X509_TRUST_get_by_id(id);
  /* Need a new entry */
  if (idx == -1) {
    if (!(trtmp = malloc(sizeof(X509_TRUST)))) {
      X509error(ERR_R_MALLOC_FAILURE);
      return 0;
    }
    trtmp->flags = X509_TRUST_DYNAMIC;
  } else {
    trtmp = X509_TRUST_get0(idx);
    if (trtmp == NULL) {
      X509error(X509_R_INVALID_TRUST);
      return 0;
    }
  }

  if ((name_dup = strdup(name)) == NULL)
    goto err;

  /* free existing name if dynamic */
  if (trtmp->flags & X509_TRUST_DYNAMIC_NAME)
    free(trtmp->name);
  /* dup supplied name */
  trtmp->name = name_dup;
  /* Keep the dynamic flag of existing entry */
  trtmp->flags &= X509_TRUST_DYNAMIC;
  /* Set all other flags */
  trtmp->flags |= flags;

  trtmp->trust = id;
  trtmp->check_trust = ck;
  trtmp->arg1 = arg1;
  trtmp->arg2 = arg2;

  /* If it's a new entry, manage the dynamic table */
  if (idx == -1) {
    if (trtable == NULL &&
        (trtable = sk_X509_TRUST_new(tr_cmp)) == NULL)
      goto err;
    if (sk_X509_TRUST_push(trtable, trtmp) == 0)
      goto err;
  }
  return 1;

err:
  free(name_dup);
  if (idx == -1)
    free(trtmp);
  X509error(ERR_R_MALLOC_FAILURE);
  return 0;
}

static void
trtable_free(X509_TRUST *p)
{
  if (!p)
    return;
  if (p->flags & X509_TRUST_DYNAMIC) {
    if (p->flags & X509_TRUST_DYNAMIC_NAME)
      free(p->name);
    free(p);
  }
}

void
X509_TRUST_cleanup(void)
{
  sk_X509_TRUST_pop_free(trtable, trtable_free);
  trtable = NULL;
}

int
X509_TRUST_get_flags(const X509_TRUST *xp)
{
  return xp->flags;
}

char *
X509_TRUST_get0_name(const X509_TRUST *xp)
{
  return xp->name;
}

int
X509_TRUST_get_trust(const X509_TRUST *xp)
{
  return xp->trust;
}

static int
trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
{
  if (x->aux && (x->aux->trust || x->aux->reject))
    return obj_trust(trust->arg1, x, flags);
  /* we don't have any trust settings: for compatibility
   * we return trusted if it is self signed
   */
  return trust_compat(trust, x, flags);
}

static int
trust_1oid(X509_TRUST *trust, X509 *x, int flags)
{
  if (x->aux)
    return obj_trust(trust->arg1, x, flags);
  return X509_TRUST_UNTRUSTED;
}

static int
trust_compat(X509_TRUST *trust, X509 *x, int flags)
{
  X509_check_purpose(x, -1, 0);
  if (x->ex_flags & EXFLAG_SS)
    return X509_TRUST_TRUSTED;
  else
    return X509_TRUST_UNTRUSTED;
}

static int
obj_trust(int id, X509 *x, int flags)
{
  ASN1_OBJECT *obj;
  int i;
  X509_CERT_AUX *ax;

  ax = x->aux;
  if (!ax)
    return X509_TRUST_UNTRUSTED;
  if (ax->reject) {
    for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
      obj = sk_ASN1_OBJECT_value(ax->reject, i);
      if (OBJ_obj2nid(obj) == id)
        return X509_TRUST_REJECTED;
    }
  }
  if (ax->trust) {
    for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
      obj = sk_ASN1_OBJECT_value(ax->trust, i);
      if (OBJ_obj2nid(obj) == id)
        return X509_TRUST_TRUSTED;
    }
  }
  return X509_TRUST_UNTRUSTED;
}

Coverage Report

Created: 2022-08-24 06:30

Line	Count	Source (jump to first uncovered line)
1		/* $OpenBSD: x509_trs.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */
2		/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3		* project 1999.
4		*/
5		/* ====================================================================
6		* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
7		*
8		* Redistribution and use in source and binary forms, with or without
9		* modification, are permitted provided that the following conditions
10		* are met:
11		*
12		* 1. Redistributions of source code must retain the above copyright
13		* notice, this list of conditions and the following disclaimer.
14		*
15		* 2. Redistributions in binary form must reproduce the above copyright
16		* notice, this list of conditions and the following disclaimer in
17		* the documentation and/or other materials provided with the
18		* distribution.
19		*
20		* 3. All advertising materials mentioning features or use of this
21		* software must display the following acknowledgment:
22		* "This product includes software developed by the OpenSSL Project
23		* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24		*
25		* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26		* endorse or promote products derived from this software without
27		* prior written permission. For written permission, please contact
28		* licensing@OpenSSL.org.
29		*
30		* 5. Products derived from this software may not be called "OpenSSL"
31		* nor may "OpenSSL" appear in their names without prior written
32		* permission of the OpenSSL Project.
33		*
34		* 6. Redistributions of any form whatsoever must retain the following
35		* acknowledgment:
36		* "This product includes software developed by the OpenSSL Project
37		* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38		*
39		* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40		* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42		* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43		* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45		* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46		* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48		* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49		* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50		* OF THE POSSIBILITY OF SUCH DAMAGE.
51		* ====================================================================
52		*
53		* This product includes cryptographic software written by Eric Young
54		* (eay@cryptsoft.com). This product includes software written by Tim
55		* Hudson (tjh@cryptsoft.com).
56		*
57		*/
58
59		#include <stdio.h>
60		#include <string.h>
61
62		#include <openssl/err.h>
63		#include <openssl/x509v3.h>
64
65		#include "x509_lcl.h"
66
67		static int tr_cmp(const X509_TRUST * const a, const X509_TRUST const *b);
68		static void trtable_free(X509_TRUST *p);
69
70		static int trust_1oidany(X509_TRUST trust, X509 x, int flags);
71		static int trust_1oid(X509_TRUST trust, X509 x, int flags);
72		static int trust_compat(X509_TRUST trust, X509 x, int flags);
73
74		static int obj_trust(int id, X509 *x, int flags);
75		static int (default_trust)(int id, X509 x, int flags) = obj_trust;
76
77		/* WARNING: the following table should be kept in order of trust
78		* and without any gaps so we can just subtract the minimum trust
79		* value to get an index into the table
80		*/
81
82		static X509_TRUST trstandard[] = {
83		{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
84		{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
85		{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
86		{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
87		{X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, "Object Signer", NID_code_sign, NULL},
88		{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
89		{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL},
90		{X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
91		};
92
93	0	#define X509_TRUST_COUNT (sizeof(trstandard)/sizeof(X509_TRUST))
94
95		static STACK_OF(X509_TRUST) *trtable = NULL;
96
97		static int
98		tr_cmp(const X509_TRUST * const a, const X509_TRUST const *b)
99	0	{
100	0	return (a)->trust - (b)->trust;
101	0	}
102
103		int
104		(X509_TRUST_set_default(int (trust)(int , X509 , int)))(int, X509 , int)
105	0	{
106	0	int (oldtrust)(int , X509 , int);
107
108	0	oldtrust = default_trust;
109	0	default_trust = trust;
110	0	return oldtrust;
111	0	}
112
113		int
114		X509_check_trust(X509 *x, int id, int flags)
115	0	{
116	0	X509_TRUST *pt;
117	0	int idx;
118
119	0	if (id == -1)
120	0	return 1;
121		/*
122		* XXX beck/jsing This enables self signed certs to be trusted for
123		* an unspecified id/trust flag value (this is NOT the
124		* X509_TRUST_DEFAULT), which was the longstanding
125		* openssl behaviour. boringssl does not have this behaviour.
126		*
127		* This should be revisited, but changing the default "not default"
128		* may break things.
129		*/
130	0	if (id == 0) {
131	0	int rv;
132	0	rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
133	0	if (rv != X509_TRUST_UNTRUSTED)
134	0	return rv;
135	0	return trust_compat(NULL, x, 0);
136	0	}
137	0	idx = X509_TRUST_get_by_id(id);
138	0	if (idx == -1)
139	0	return default_trust(id, x, flags);
140	0	pt = X509_TRUST_get0(idx);
141	0	return pt->check_trust(pt, x, flags);
142	0	}
143
144		int
145		X509_TRUST_get_count(void)
146	0	{
147	0	if (!trtable)
148	0	return X509_TRUST_COUNT;
149	0	return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT;
150	0	}
151
152		X509_TRUST *
153		X509_TRUST_get0(int idx)
154	0	{
155	0	if (idx < 0)
156	0	return NULL;
157	0	if (idx < (int)X509_TRUST_COUNT)
158	0	return trstandard + idx;
159	0	return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT);
160	0	}
161
162		int
163		X509_TRUST_get_by_id(int id)
164	0	{
165	0	X509_TRUST tmp;
166	0	int idx;
167
168	0	if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX))
169	0	return id - X509_TRUST_MIN;
170	0	tmp.trust = id;
171	0	if (!trtable)
172	0	return -1;
173	0	idx = sk_X509_TRUST_find(trtable, &tmp);
174	0	if (idx == -1)
175	0	return -1;
176	0	return idx + X509_TRUST_COUNT;
177	0	}
178
179		int
180		X509_TRUST_set(int *t, int trust)
181	0	{
182	0	if (X509_TRUST_get_by_id(trust) == -1) {
183	0	X509error(X509_R_INVALID_TRUST);
184	0	return 0;
185	0	}
186	0	*t = trust;
187	0	return 1;
188	0	}
189
190		int
191		X509_TRUST_add(int id, int flags, int (ck)(X509_TRUST , X509 *, int),
192		const char name, int arg1, void arg2)
193	0	{
194	0	int idx;
195	0	X509_TRUST *trtmp;
196	0	char *name_dup;
197
198		/* This is set according to what we change: application can't set it */
199	0	flags &= ~X509_TRUST_DYNAMIC;
200		/* This will always be set for application modified trust entries */
201	0	flags \|= X509_TRUST_DYNAMIC_NAME;
202		/* Get existing entry if any */
203	0	idx = X509_TRUST_get_by_id(id);
204		/* Need a new entry */
205	0	if (idx == -1) {
206	0	if (!(trtmp = malloc(sizeof(X509_TRUST)))) {
207	0	X509error(ERR_R_MALLOC_FAILURE);
208	0	return 0;
209	0	}
210	0	trtmp->flags = X509_TRUST_DYNAMIC;
211	0	} else {
212	0	trtmp = X509_TRUST_get0(idx);
213	0	if (trtmp == NULL) {
214	0	X509error(X509_R_INVALID_TRUST);
215	0	return 0;
216	0	}
217	0	}
218
219	0	if ((name_dup = strdup(name)) == NULL)
220	0	goto err;
221
222		/* free existing name if dynamic */
223	0	if (trtmp->flags & X509_TRUST_DYNAMIC_NAME)
224	0	free(trtmp->name);
225		/* dup supplied name */
226	0	trtmp->name = name_dup;
227		/* Keep the dynamic flag of existing entry */
228	0	trtmp->flags &= X509_TRUST_DYNAMIC;
229		/* Set all other flags */
230	0	trtmp->flags \|= flags;
231
232	0	trtmp->trust = id;
233	0	trtmp->check_trust = ck;
234	0	trtmp->arg1 = arg1;
235	0	trtmp->arg2 = arg2;
236
237		/* If it's a new entry, manage the dynamic table */
238	0	if (idx == -1) {
239	0	if (trtable == NULL &&
240	0	(trtable = sk_X509_TRUST_new(tr_cmp)) == NULL)
241	0	goto err;
242	0	if (sk_X509_TRUST_push(trtable, trtmp) == 0)
243	0	goto err;
244	0	}
245	0	return 1;
246
247	0	err:
248	0	free(name_dup);
249	0	if (idx == -1)
250	0	free(trtmp);
251	0	X509error(ERR_R_MALLOC_FAILURE);
252	0	return 0;
253	0	}
254
255		static void
256		trtable_free(X509_TRUST *p)
257	0	{
258	0	if (!p)
259	0	return;
260	0	if (p->flags & X509_TRUST_DYNAMIC) {
261	0	if (p->flags & X509_TRUST_DYNAMIC_NAME)
262	0	free(p->name);
263	0	free(p);
264	0	}
265	0	}
266
267		void
268		X509_TRUST_cleanup(void)
269	0	{
270	0	sk_X509_TRUST_pop_free(trtable, trtable_free);
271	0	trtable = NULL;
272	0	}
273
274		int
275		X509_TRUST_get_flags(const X509_TRUST *xp)
276	0	{
277	0	return xp->flags;
278	0	}
279
280		char *
281		X509_TRUST_get0_name(const X509_TRUST *xp)
282	0	{
283	0	return xp->name;
284	0	}
285
286		int
287		X509_TRUST_get_trust(const X509_TRUST *xp)
288	0	{
289	0	return xp->trust;
290	0	}
291
292		static int
293		trust_1oidany(X509_TRUST trust, X509 x, int flags)
294	0	{
295	0	if (x->aux && (x->aux->trust \|\| x->aux->reject))
296	0	return obj_trust(trust->arg1, x, flags);
297		/* we don't have any trust settings: for compatibility
298		* we return trusted if it is self signed
299		*/
300	0	return trust_compat(trust, x, flags);
301	0	}
302
303		static int
304		trust_1oid(X509_TRUST trust, X509 x, int flags)
305	0	{
306	0	if (x->aux)
307	0	return obj_trust(trust->arg1, x, flags);
308	0	return X509_TRUST_UNTRUSTED;
309	0	}
310
311		static int
312		trust_compat(X509_TRUST trust, X509 x, int flags)
313	0	{
314	0	X509_check_purpose(x, -1, 0);
315	0	if (x->ex_flags & EXFLAG_SS)
316	0	return X509_TRUST_TRUSTED;
317	0	else
318	0	return X509_TRUST_UNTRUSTED;
319	0	}
320
321		static int
322		obj_trust(int id, X509 *x, int flags)
323	0	{
324	0	ASN1_OBJECT *obj;
325	0	int i;
326	0	X509_CERT_AUX *ax;
327
328	0	ax = x->aux;
329	0	if (!ax)
330	0	return X509_TRUST_UNTRUSTED;
331	0	if (ax->reject) {
332	0	for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
333	0	obj = sk_ASN1_OBJECT_value(ax->reject, i);
334	0	if (OBJ_obj2nid(obj) == id)
335	0	return X509_TRUST_REJECTED;
336	0	}
337	0	}
338	0	if (ax->trust) {
339	0	for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
340	0	obj = sk_ASN1_OBJECT_value(ax->trust, i);
341	0	if (OBJ_obj2nid(obj) == id)
342	0	return X509_TRUST_TRUSTED;
343	0	}
344	0	}
345	0	return X509_TRUST_UNTRUSTED;
346	0	}