diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2021-03-31 15:10:22 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2021-04-08 11:30:44 +1000 |
commit | e6c2f96489fc0c006845c8597f8ceed2f01f76ee (patch) | |
tree | 87b519bbf7cf1a1966d44fbd70121e1ba77d550d /crypto/x509 | |
parent | 09fba0b44032c2f66d5e7e8c732869e031ce74c8 (diff) | |
download | openssl-e6c2f96489fc0c006845c8597f8ceed2f01f76ee.tar.gz |
Fix more certificate related lib_ctx settings.
Fixes #13732
Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.
Added X509_CRL_new_ex().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14752)
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_vfy.c | 2 | ||||
-rw-r--r-- | crypto/x509/x_all.c | 19 | ||||
-rw-r--r-- | crypto/x509/x_crl.c | 17 |
3 files changed, 27 insertions, 11 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 6c6d5442f2..01871b9090 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2052,7 +2052,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, return NULL; } /* Create new CRL */ - crl = X509_CRL_new(); + crl = X509_CRL_new_ex(base->libctx, base->propq); if (crl == NULL || !X509_CRL_set_version(crl, 1)) goto memerr; /* Set issuer name */ diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 042425456c..9733597d37 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -59,8 +59,9 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { x->cert_info.enc.modified = 1; - return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, - &x->sig_alg, &x->signature, &x->cert_info, pkey, md); + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, + &x->sig_alg, &x->signature, &x->cert_info, NULL, + pkey, md, x->libctx, x->propq); } int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) @@ -89,8 +90,9 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) { - return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, - x->signature, &x->req_info, pkey, md); + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, + x->signature, &x->req_info, NULL, + pkey, md, x->libctx, x->propq); } int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) @@ -103,8 +105,9 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { x->crl.enc.modified = 1; - return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, - &x->sig_alg, &x->signature, &x->crl, pkey, md); + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, + &x->sig_alg, &x->signature, &x->crl, NULL, + pkey, md, x->libctx, x->propq); } int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) @@ -123,8 +126,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) { - return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL, - x->signature, x->spkac, pkey, md); + return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL, + x->signature, x->spkac, NULL, pkey, md, NULL, NULL); } #ifndef OPENSSL_NO_STDIO diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index dfe3da37eb..4b90e5b756 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -340,6 +340,18 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a, (ASN1_STRING *)&(*b)->serialNumber)); } +X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq) +{ + X509_CRL *crl = NULL; + + crl = (X509_CRL *)ASN1_item_new((X509_CRL_it())); + if (!ossl_x509_crl_set0_libctx(crl, libctx, propq)) { + X509_CRL_free(crl); + crl = NULL; + } + return crl; +} + int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) { X509_CRL_INFO *inf; @@ -381,8 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r) { - return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO), - &crl->sig_alg, &crl->signature, &crl->crl, r)); + return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO), + &crl->sig_alg, &crl->signature, &crl->crl, NULL, + r, crl->libctx, crl->propq)); } static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm, |