For consistency with other cases if we are performing
partial chain verification with just one certificate
notify the callback with ok==1.
(cherry picked from commit 852553d9005e13aed7feb986a5d71cb885b994c7)

When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.

PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.

the trust store.

trusted store instead of the default which is to return an error if
we can't build the complete chain.

Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.

Add new verify options to set checks.

Remove previous -check* commands from s_client and s_server.

New function X509_chain_up_ref to dup and up the reference count of
a STACK_OF(X509): replace equivalent functionality in several places
by the equivalent call.

Submitted by: Christoph Viethen <cv@kawo2.rwth-aachen.de>
Reviewed by: steve

Handle timezones correctly in UTCTime.

produce an error (CVE-2011-3207)

Reviewed by: steve

If store is NULL set flags correctly.

certificate is explicitly trusted (using -addtrust option to x509 utility
for example) the verification is sucessful even if the chain is not complete.

Submitted by: Rob Austein <sra@hactrn.net>
Approved by: steve@openssl.org

Initialise atm.flags to 0.

information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.

for the leaf certificate of a CRL path.

Submitted by: steve@openssl.org

Include a flag ASN1_STRING_FLAG_MSTRING when a multi string type is created.
This makes it possible to tell if the underlying type is UTCTime,
GeneralizedTime or Time when the structure is reused and X509_time_adj_ex()
can handle each case in an appropriate manner.

Add error checking to CRL generation in ca utility when nextUpdate is being
set.

and should avoid any OS date limitations such as the year 2038 bug.

a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.

Tidy CRL scoring system.

Add new CRL path validation error.

and CRL signing keys.

CRL issuer is not part of the main path.

Not complete yet and not compiled in because the CRL issuer certificate is
not validated.

Delete X509_POLICY_REF code.

Fix handling of invalid policy extensions to return the correct error.

Add command line option to inhibit policy mappings.

TODO: robustness checking on name forms.

fields.

Allow inibit any policy flag to be set in apps.