in tls/s2n_config.c [543:594]
S2N_RESULT s2n_config_validate_loaded_certificates(const struct s2n_config *config,
const struct s2n_security_policy *security_policy)
{
RESULT_ENSURE_REF(config);
RESULT_ENSURE_REF(security_policy);
if (security_policy->certificate_key_preferences == NULL
&& security_policy->certificate_signature_preferences == NULL) {
return S2N_RESULT_OK;
}
/* Duplicates a check in s2n_security_policy_validate_certificate_chain.
* If a large number of certificates are configured, even iterating
* over the chains to call s2n_security_policy_validate_certificate_chain
* could be prohibitively expensive.
*/
if (!security_policy->certificate_preferences_apply_locally) {
return S2N_RESULT_OK;
}
/* validate the default certs */
for (int i = 0; i < S2N_CERT_TYPE_COUNT; i++) {
struct s2n_cert_chain_and_key *cert = config->default_certs_by_type.certs[i];
if (cert == NULL) {
continue;
}
RESULT_GUARD(s2n_security_policy_validate_certificate_chain(security_policy, cert));
}
/* validate the certs in the domain map */
if (config->domain_name_to_cert_map == NULL) {
return S2N_RESULT_OK;
}
struct s2n_map_iterator iter = { 0 };
RESULT_GUARD(s2n_map_iterator_init(&iter, config->domain_name_to_cert_map));
while (s2n_map_iterator_has_next(&iter)) {
struct s2n_blob value = { 0 };
RESULT_GUARD(s2n_map_iterator_next(&iter, &value));
struct certs_by_type *domain_certs = (void *) value.data;
for (int i = 0; i < S2N_CERT_TYPE_COUNT; i++) {
struct s2n_cert_chain_and_key *cert = domain_certs->certs[i];
if (cert == NULL) {
continue;
}
RESULT_GUARD(s2n_security_policy_validate_certificate_chain(security_policy, cert));
}
}
return S2N_RESULT_OK;
}