Fix more certificate related lib_ctx settings.

Fixes #13732 Fix a few places that were not using the '_ex' variants of ASN1_item_sign/verify. Added X509_CRL_new_ex(). Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14752)
2025-03-31 20:10:45 +08:00 · 2021-03-31 15:10:22 +10:00 · 2021-03-31 15:10:22 +10:00 · e6c2f96489
commit e6c2f96489
parent 09fba0b440
15 changed files with 75 additions and 43 deletions
--- a/apps/ca.c
+++ b/apps/ca.c
@ -1178,7 +1178,7 @@ end_of_options:

        if (verbose)
            BIO_printf(bio_err, "making CRL\n");
-        if ((crl = X509_CRL_new()) == NULL)
+        if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
            goto end;
        if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
            goto end;
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@ -469,7 +469,8 @@ int ocsp_main(int argc, char **argv)
        case OPT_RSIGOPT:
            if (rsign_sigopts == NULL)
                rsign_sigopts = sk_OPENSSL_STRING_new_null();
-            if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
+            if (rsign_sigopts == NULL
+                || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
                goto end;
            break;
        case OPT_HEADER:
@ -676,8 +677,8 @@ redo_accept:
        if (key == NULL)
            goto end;

-        if (!OCSP_request_sign
-            (req, signer, key, NULL, sign_other, sign_flags)) {
+        if (!OCSP_request_sign(req, signer, key, NULL,
+                               sign_other, sign_flags)) {
            BIO_printf(bio_err, "Error signing OCSP request\n");
            goto end;
        }
@ -696,8 +697,8 @@ redo_accept:

    if (rdb != NULL) {
        make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey,
-                           rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig,
-                           resp_certid_md);
+                           rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
+                           badsig, resp_certid_md);
        if (cbio != NULL)
            send_ocsp_response(cbio, resp);
    } else if (host != NULL) {
--- a/apps/req.c
+++ b/apps/req.c
@ -802,7 +802,7 @@ int req_main(int argc, char **argv)
        }

        if (req == NULL) {
-            req = X509_REQ_new();
+            req = X509_REQ_new_ex(app_get0_libctx(), app_get0_propq());
            if (req == NULL) {
                goto end;
            }
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@ -136,6 +136,7 @@ int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1,
        ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
        return 0;
    }
+    /* We can use the non _ex variant here since the pkey is already setup */
    if (!EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))
        goto err;

--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@ -94,7 +94,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
                      OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
            goto err;
        }
-        if (!OCSP_REQUEST_sign(req, key, dgst))
+        if (!OCSP_REQUEST_sign(req, key, dgst, signer->libctx, signer->propq))
            goto err;
    }

--- a/crypto/ocsp/ocsp_local.h
+++ b/crypto/ocsp/ocsp_local.h
@ -217,22 +217,30 @@ struct ocsp_service_locator_st {
    STACK_OF(ACCESS_DESCRIPTION) *locator;
 };

-#  define OCSP_REQUEST_sign(o,pkey,md) \
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
-                &(o)->optionalSignature->signatureAlgorithm,NULL,\
-                (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
+#  define OCSP_REQUEST_sign(o, pkey, md, libctx, propq)\
+        ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
+                          &(o)->optionalSignature->signatureAlgorithm, NULL,\
+                         (o)->optionalSignature->signature, &(o)->tbsRequest,\
+                         NULL, pkey, md, libctx, propq)

-#  define OCSP_BASICRESP_sign(o,pkey,md,d) \
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
-                NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
+#  define OCSP_BASICRESP_sign(o, pkey, md, d, libctx, propq)\
+        ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+                          &(o)->signatureAlgorithm, NULL,\
+                          (o)->signature, &(o)->tbsResponseData,\
+                          NULL, pkey, md, libctx, propq)

-#  define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
-        ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
-                NULL,(o)->signature,&(o)->tbsResponseData,ctx)
+#  define OCSP_BASICRESP_sign_ctx(o, ctx, d)\
+        ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+                           &(o)->signatureAlgorithm, NULL,\
+                           (o)->signature, &(o)->tbsResponseData, ctx)

-#  define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
-        &(a)->optionalSignature->signatureAlgorithm,\
-        (a)->optionalSignature->signature,&(a)->tbsRequest,r)
+#  define OCSP_REQUEST_verify(a, r, libctx, propq)\
+        ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
+                            &(a)->optionalSignature->signatureAlgorithm,\
+                            (a)->optionalSignature->signature, &(a)->tbsRequest,\
+                            NULL, r, libctx, propq)

-#  define OCSP_BASICRESP_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
-        &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)
+#  define OCSP_BASICRESP_verify(a, r, libctx, propq)\
+        ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+                            &(a)->signatureAlgorithm, (a)->signature,\
+                            &(a)->tbsResponseData, NULL, r, libctx, propq)
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@ -223,7 +223,8 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
    if (ctx == NULL)
        return 0;

-    if (!EVP_DigestSignInit(ctx, &pkctx, dgst, NULL, key)) {
+    if (!EVP_DigestSignInit_ex(ctx, &pkctx, EVP_MD_name(dgst),
+                               signer->libctx, signer->propq, key, NULL)) {
        EVP_MD_CTX_free(ctx);
        return 0;
    }
@ -277,7 +278,7 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,

 int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
 {
-    return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL);
+    return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
 }

 int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
@ -318,5 +319,5 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,

 int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
 {
-    return OCSP_RESPID_match_ex(respid, cert, NULL, NULL);
+    return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
 }
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@ -84,9 +84,9 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
            return -1;
        }
        if (req != NULL)
-            ret = OCSP_REQUEST_verify(req, skey);
+            ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq);
        else
-            ret = OCSP_BASICRESP_verify(bs, skey);
+            ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq);
        if (ret <= 0)
            ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE);
    }
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -2052,7 +2052,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
        return NULL;
    }
    /* Create new CRL */
-    crl = X509_CRL_new();
+    crl = X509_CRL_new_ex(base->libctx, base->propq);
    if (crl == NULL || !X509_CRL_set_version(crl, 1))
        goto memerr;
    /* Set issuer name */
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@ -59,8 +59,9 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
    x->cert_info.enc.modified = 1;
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
-                          &x->sig_alg, &x->signature, &x->cert_info, pkey, md);
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+                             &x->sig_alg, &x->signature, &x->cert_info, NULL,
+                             pkey, md, x->libctx, x->propq);
 }

 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@ -89,8 +90,9 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)

 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
-                          x->signature, &x->req_info, pkey, md);
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+                             x->signature, &x->req_info, NULL,
+                             pkey, md, x->libctx, x->propq);
 }

 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
@ -103,8 +105,9 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
    x->crl.enc.modified = 1;
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
-                          &x->sig_alg, &x->signature, &x->crl, pkey, md);
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+                             &x->sig_alg, &x->signature, &x->crl, NULL,
+                             pkey, md, x->libctx, x->propq);
 }

 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
@ -123,8 +126,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)

 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
-                          x->signature, x->spkac, pkey, md);
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
+                          x->signature, x->spkac, NULL, pkey, md, NULL, NULL);
 }

 #ifndef OPENSSL_NO_STDIO
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@ -340,6 +340,18 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
                            (ASN1_STRING *)&(*b)->serialNumber));
 }

+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
+{
+    X509_CRL *crl = NULL;
+
+    crl = (X509_CRL *)ASN1_item_new((X509_CRL_it()));
+    if (!ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
+        X509_CRL_free(crl);
+        crl = NULL;
+    }
+    return crl;
+}
+
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
    X509_CRL_INFO *inf;
@ -381,8 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)

 static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
 {
-    return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
-                             &crl->sig_alg, &crl->signature, &crl->crl, r));
+    return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+                                &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+                                r, crl->libctx, crl->propq));
 }

 static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@ -274,6 +274,7 @@ X509_CRL_INFO_free,
 X509_CRL_INFO_new,
 X509_CRL_dup,
 X509_CRL_free,
+X509_CRL_new_ex,
 X509_CRL_new,
 X509_EXTENSION_dup,
 X509_EXTENSION_free,
@ -349,7 +350,8 @@ The object returned must be released by calling B<I<TYPE>_free>().

 B<I<TYPE>_new_ex>() is similiar to B<I<TYPE>_new>() but also passes the
 library context I<libctx> and the property query I<propq> to use when retrieving
-algorithms from providers.
+algorithms from providers. This created object can then be used when loading
+binary data using B<d2i_I<TYPE>>().

 B<I<TYPE>_dup>() copies an existing object, leaving it untouched.

@ -371,8 +373,8 @@ B<I<TYPE>_print_ctx>() returns 1 on success or zero on failure.

 =head1 HISTORY

-The functions PKCS7_new_ex() and CMS_ContentInfo_new_ex() were
-added in OpenSSL 3.0.
+The functions X509_REQ_new_ex(), X509_CRL_new_ex(), PKCS7_new_ex() and
+CMS_ContentInfo_new_ex() were added in OpenSSL 3.0.

 The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were
 deprecated in 3.0.
--- a/doc/man3/X509_new.pod
+++ b/doc/man3/X509_new.pod
@ -25,7 +25,8 @@ X509_new_ex() allocates and initializes a X509 structure with a
 library context of I<libctx>, property query of <propq> and a reference
 count of B<1>. Many X509 functions such as X509_check_purpose(), and
 X509_verify() use this library context to select which providers supply the
-fetched algorithms (SHA1 is used internally).
+fetched algorithms (SHA1 is used internally). This created X509 object can then
+be used when loading binary data using d2i_X509().

 X509_new() is similar to X509_new_ex() but sets the library context
 and property query to NULL. This results in the default (NULL) library context
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@ -642,6 +642,7 @@ STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x);
 DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
 DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
 DECLARE_ASN1_FUNCTIONS(X509_CRL)
+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq);

 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 int X509_CRL_get0_by_serial(X509_CRL *crl,
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@ -5347,3 +5347,4 @@ EVP_ASYM_CIPHER_description             ?	3_0_0	EXIST::FUNCTION:
 EVP_KEM_description                     ?	3_0_0	EXIST::FUNCTION:
 EVP_KEYEXCH_description                 ?	3_0_0	EXIST::FUNCTION:
 EVP_KDF_description                     ?	3_0_0	EXIST::FUNCTION:
+X509_CRL_new_ex                         ?	3_0_0	EXIST::FUNCTION: