mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-31 20:10:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

Make more use of X509_add_certs(); minor related code & comments cleanup

Browse Source 
This is a follow-up on #12615.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14436)
This commit is contained in:
Dr. David von Oheimb 2021-02-08 19:13:26 +01:00
parent 9b9d24f033
commit 0dca5ede0d
3 changed files with 13 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
crypto/ocsp/ocsp_cl.c
View File

@ -27,7 +27,6 @@
* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer:
* useful if we want to add extensions.
*/
OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
{
OCSP_ONEREQ *one = NULL;
@ -45,7 +44,6 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
}
/* Set requestorName from an X509_NAME structure */
int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm)
{
GENERAL_NAME *gen = GENERAL_NAME_new();
@ -63,19 +61,15 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm)
}
/* Add a certificate to an OCSP request */
int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
{
OCSP_SIGNATURE *sig;
if (req->optionalSignature == NULL)
req->optionalSignature = OCSP_SIGNATURE_new();
sig = req->optionalSignature;
if (sig == NULL)
if (req->optionalSignature == NULL
&& (req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
return 0;
if (cert == NULL)
return 1;
return ossl_x509_add_cert_new(&sig->certs, cert, X509_ADD_FLAG_UP_REF);
return ossl_x509_add_cert_new(&req->optionalSignature->certs, cert,
X509_ADD_FLAG_UP_REF);
}
/*
@ -83,16 +77,12 @@ int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
* optional signers certificate and include one or more optional certificates
* in the request. Behaves like PKCS7_sign().
*/
int OCSP_request_sign(OCSP_REQUEST *req,
X509 *signer,
EVP_PKEY *key,
const EVP_MD *dgst,
STACK_OF(X509) *certs, unsigned long flags)
{
int i;
X509 *x;
if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
goto err;
@ -109,13 +99,10 @@ int OCSP_request_sign(OCSP_REQUEST *req,
}
if ((flags & OCSP_NOCERTS) == 0) {
if (!OCSP_request_add1_cert(req, signer))
if (!OCSP_request_add1_cert(req, signer)
|| !X509_add_certs(req->optionalSignature->certs, certs,
X509_ADD_FLAG_UP_REF))
goto err;
for (i = 0; i < sk_X509_num(certs); i++) {
x = sk_X509_value(certs, i);
if (!OCSP_request_add1_cert(req, x))
goto err;
}
}
return 1;
@ -126,7 +113,6 @@ int OCSP_request_sign(OCSP_REQUEST *req,
}
/* Get response status */
int OCSP_response_status(OCSP_RESPONSE *resp)
{
return ASN1_ENUMERATED_get(resp->responseStatus);
@ -136,7 +122,6 @@ int OCSP_response_status(OCSP_RESPONSE *resp)
* Extract basic response from OCSP_RESPONSE or NULL if no basic response
* present.
*/
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
{
OCSP_RESPBYTES *rb = resp->responseBytes;
@ -168,9 +153,7 @@ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
return &bs->tbsResponseData;
}
/*
* Return number of OCSP_SINGLERESP responses present in a basic response.
*/
/* Return number of OCSP_SINGLERESP responses present in a basic response */
int OCSP_resp_count(OCSP_BASICRESP *bs)
{
@ -180,7 +163,6 @@ int OCSP_resp_count(OCSP_BASICRESP *bs)
}
/* Extract an OCSP_SINGLERESP response with a given index */
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
{
if (bs == NULL)
@ -237,7 +219,6 @@ int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
}
/* Look single response matching a given certificate ID */
int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
{
int i;
@ -264,7 +245,6 @@ int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
* revtime and reason values are only set if the certificate status is
* revoked. Returns numerical value of status.
*/
int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
ASN1_GENERALIZEDTIME **revtime,
ASN1_GENERALIZEDTIME **thisupd,
@ -300,7 +280,6 @@ int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
* This function combines the previous ones: look up a certificate ID and if
* found extract status information. Return 0 is successful.
*/
int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
int *reason,
ASN1_GENERALIZEDTIME **revtime,
@ -328,7 +307,6 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
* accepting very old responses without a nextUpdate field an optional maxage
* parameter specifies the maximum age the thisUpdate field can be.
*/
int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
{

13
crypto/ocsp/ocsp_srv.c
View File

@ -20,7 +20,6 @@
* Utility functions related to sending OCSP responses and extracting
* relevant information from the request.
*/
int OCSP_request_onereq_count(OCSP_REQUEST *req)
{
return sk_OCSP_ONEREQ_num(req->tbsRequest.requestList);
@ -155,7 +154,6 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
}
/* Add a certificate to an OCSP request */
int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
{
return ossl_x509_add_cert_new(&resp->certs, cert, X509_ADD_FLAG_UP_REF);
@ -166,12 +164,10 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
* set the responderID to the subject name in the signer's certificate, and
* include one or more optional certificates in the response.
*/
int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
X509 *signer, EVP_MD_CTX *ctx,
STACK_OF(X509) *certs, unsigned long flags)
{
int i;
OCSP_RESPID *rid;
EVP_PKEY *pkey;
@ -187,13 +183,9 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
}
if (!(flags & OCSP_NOCERTS)) {
if (!OCSP_basic_add1_cert(brsp, signer))
if (!OCSP_basic_add1_cert(brsp, signer)
|| !X509_add_certs(brsp->certs, certs, X509_ADD_FLAG_UP_REF))
goto err;
for (i = 0; i < sk_X509_num(certs); i++) {
X509 *tmpcert = sk_X509_value(certs, i);
if (!OCSP_basic_add1_cert(brsp, tmpcert))
goto err;
}
}
rid = &brsp->tbsResponseData.responderId;
@ -212,7 +204,6 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
* Right now, I think that not doing double hashing is the right thing.
* -- Richard Levitte
*/
if (!OCSP_BASICRESP_sign_ctx(brsp, ctx, 0))
goto err;

7
crypto/x509/x509_cmp.c
View File

@ -177,8 +177,7 @@ int X509_cmp(const X509 *a, const X509 *b)
int ossl_x509_add_cert_new(STACK_OF(X509) **p_sk, X509 *cert, int flags)
{
if (*p_sk == NULL
&& (*p_sk = sk_X509_new_null()) == NULL) {
if (*p_sk == NULL && (*p_sk = sk_X509_new_null()) == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return 0;
}
@ -216,7 +215,7 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
}
int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
/* compiler would allow 'const' for the certs, yet they may get up-ref'ed */
{
if (sk == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
@ -227,7 +226,7 @@ int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs,
int flags)
/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
/* compiler would allow 'const' for the certs, yet they may get up-ref'ed */
{
int n = sk_X509_num(certs /* may be NULL */);
int i;