mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Create a libctx aware X509_verify_ex()

Browse Source 
This is the same as X509_verify() except that it takes a libctx and propq
parameter and signature verification is done using those.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11507)
This commit is contained in:
Matt Caswell 2020-04-03 18:01:04 +01:00
parent b27ed81943
commit 0820217441
4 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crypto/x509/x509_vfy.c
View File

@ -1763,7 +1763,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
return 0;
} else if (X509_verify(xs, pkey) <= 0) {
} else if (X509_verify_ex(xs, pkey, ctx->libctx, ctx->propq) <= 0) {
if (!verify_cb_cert(ctx, xs, n,
X509_V_ERR_CERT_SIGNATURE_FAILURE))
return 0;
@ -2809,7 +2809,7 @@ static int check_dane_pkeys(X509_STORE_CTX *ctx)
if (t->usage != DANETLS_USAGE_DANE_TA ||
t->selector != DANETLS_SELECTOR_SPKI ||
t->mtype != DANETLS_MATCHING_FULL ||
X509_verify(cert, t->spki) <= 0)
X509_verify_ex(cert, t->spki, ctx->libctx, ctx->propq) <= 0)
continue;
/* Clear any PKIX-?? matches that failed to extend to a full chain */

24
crypto/x509/x_all.c
View File

@ -34,13 +34,14 @@ static void clean_id_ctx(EVP_MD_CTX *ctx)
EVP_MD_CTX_free(ctx);
}
static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id)
static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id,
OPENSSL_CTX *libctx, const char *propq)
{
EVP_MD_CTX *ctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
if ((ctx = EVP_MD_CTX_new()) == NULL
|| (pctx = EVP_PKEY_CTX_new(r, NULL)) == NULL) {
|| (pctx = EVP_PKEY_CTX_new_from_pkey(libctx, r, propq)) == NULL) {
X509err(0, ERR_R_MALLOC_FAILURE);
goto error;
}
@ -63,7 +64,7 @@ static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id)
return NULL;
}
int X509_verify(X509 *a, EVP_PKEY *r)
int X509_verify_ex(X509 *a, EVP_PKEY *r, OPENSSL_CTX *libctx, const char *propq)
{
int rv = 0;
EVP_MD_CTX *ctx = NULL;
@ -73,7 +74,7 @@ int X509_verify(X509 *a, EVP_PKEY *r)
return 0;
id = a->distinguishing_id;
if ((ctx = make_id_ctx(r, id)) != NULL) {
if ((ctx = make_id_ctx(r, id, libctx, propq)) != NULL) {
rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg,
&a->signature, &a->cert_info, ctx);
clean_id_ctx(ctx);
@ -81,14 +82,20 @@ int X509_verify(X509 *a, EVP_PKEY *r)
return rv;
}
int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
int X509_verify(X509 *a, EVP_PKEY *r)
{
return X509_verify_ex(a, r, NULL, NULL);
}
int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OPENSSL_CTX *libctx,
const char *propq)
{
int rv = 0;
EVP_MD_CTX *ctx = NULL;
ASN1_OCTET_STRING *id = NULL;
id = a->distinguishing_id;
if ((ctx = make_id_ctx(r, id)) != NULL) {
if ((ctx = make_id_ctx(r, id, libctx, propq)) != NULL) {
rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg,
a->signature, &a->req_info, ctx);
clean_id_ctx(ctx);
@ -96,6 +103,11 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
return rv;
}
int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
{
return X509_REQ_verify_ex(a, r, NULL, NULL);
}
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
{
return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),

3
include/openssl/x509.h
View File

@ -355,8 +355,11 @@ void *X509_CRL_get_meth_data(X509_CRL *crl);
const char *X509_verify_cert_error_string(long n);
int X509_verify_ex(X509 *a, EVP_PKEY *r, OPENSSL_CTX *libctx, const char *propq);
int X509_verify(X509 *a, EVP_PKEY *r);
int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OPENSSL_CTX *libctx,
const char *propq);
int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);

2
util/libcrypto.num
View File

@ -5072,3 +5072,5 @@ EVP_PKEY_CTX_set_dh_paramgen_generator ? 3_0_0 EXIST::FUNCTION:DH
EVP_PKEY_CTX_set_dh_nid ? 3_0_0 EXIST::FUNCTION:DH
EVP_PKEY_CTX_set_dh_rfc5114 ? 3_0_0 EXIST::FUNCTION:DH
EVP_PKEY_CTX_set_dhx_rfc5114 ? 3_0_0 EXIST::FUNCTION:DH
X509_verify_ex ? 3_0_0 EXIST::FUNCTION:
X509_REQ_verify_ex ? 3_0_0 EXIST::FUNCTION: