Fix more certificate related lib_ctx settings.

Fixes #13732 Fix a few places that were not using the '_ex' variants of ASN1_item_sign/verify. Added X509_CRL_new_ex(). Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14752)
author: Shane Lontis <shane.lontis@oracle.com> 2021-03-31 15:10:22 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2021-04-08 11:30:44 +1000
commit: e6c2f96489fc0c006845c8597f8ceed2f01f76ee (patch)
tree: 87b519bbf7cf1a1966d44fbd70121e1ba77d550d /crypto/x509
parent: 09fba0b44032c2f66d5e7e8c732869e031ce74c8 (diff)
download: openssl-e6c2f96489fc0c006845c8597f8ceed2f01f76ee.tar.gz
3 files changed, 27 insertions, 11 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 6c6d5442f2..01871b9090 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2052,7 +2052,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
         return NULL;
     }
     /* Create new CRL */
-    crl = X509_CRL_new();
+    crl = X509_CRL_new_ex(base->libctx, base->propq);
     if (crl == NULL || !X509_CRL_set_version(crl, 1))
         goto memerr;
     /* Set issuer name */
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 042425456c..9733597d37 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -59,8 +59,9 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     x->cert_info.enc.modified = 1;
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
-                          &x->sig_alg, &x->signature, &x->cert_info, pkey, md);
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+                             &x->sig_alg, &x->signature, &x->cert_info, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@@ -89,8 +90,9 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
 
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
-                          x->signature, &x->req_info, pkey, md);
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+                             x->signature, &x->req_info, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
@@ -103,8 +105,9 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     x->crl.enc.modified = 1;
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
-                          &x->sig_alg, &x->signature, &x->crl, pkey, md);
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+                             &x->sig_alg, &x->signature, &x->crl, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
@@ -123,8 +126,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
 
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
-                          x->signature, x->spkac, pkey, md);
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
+                          x->signature, x->spkac, NULL, pkey, md, NULL, NULL);
 }
 
 #ifndef OPENSSL_NO_STDIO
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index dfe3da37eb..4b90e5b756 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -340,6 +340,18 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
                             (ASN1_STRING *)&(*b)->serialNumber));
 }
 
+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
+{
+    X509_CRL *crl = NULL;
+
+    crl = (X509_CRL *)ASN1_item_new((X509_CRL_it()));
+    if (!ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
+        X509_CRL_free(crl);
+        crl = NULL;
+    }
+    return crl;
+}
+
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
     X509_CRL_INFO *inf;
@@ -381,8 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
 
 static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
 {
-    return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
-                             &crl->sig_alg, &crl->signature, &crl->crl, r));
+    return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+                                &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+                                r, crl->libctx, crl->propq));
 }
 
 static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
author	Shane Lontis <shane.lontis@oracle.com>	2021-03-31 15:10:22 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2021-04-08 11:30:44 +1000
commit	e6c2f96489fc0c006845c8597f8ceed2f01f76ee (patch)
tree	87b519bbf7cf1a1966d44fbd70121e1ba77d550d /crypto/x509
parent	09fba0b44032c2f66d5e7e8c732869e031ce74c8 (diff)
download	openssl-e6c2f96489fc0c006845c8597f8ceed2f01f76ee.tar.gz