summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGibeom Gwon <gb.gwon@stackframe.dev>2022-10-12 02:57:21 +0900
committerGibeom Gwon <gb.gwon@stackframe.dev>2022-10-13 22:54:29 +0900
commita3c229e1f3dc25c4062314f7fbb1322e32fb5ac5 (patch)
treedb9f1db5b0d5f1834a3dc5f5fc1f9df696d4c90f
parent0ca7eae5cc2e3042d7af8383eacac6c9c414de68 (diff)
Fix no longer implicitly refresh the cached TBSCertificate
This reverts commit 748df1874f0488ce0c86b6d2d083921abb34b1e3. Fixes #19388 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19392)
Diffstat
-rw-r--r--crypto/x509/x_all.c75
1 files changed, 29 insertions, 46 deletions
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 05ba3a93a8..fcf6b5ba37 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -41,26 +41,25 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- int ret = 0;
-
- ret = ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
- &x->sig_alg, &x->signature, &x->cert_info, pkey,
- md);
- if (ret > 0)
- x->cert_info.enc.modified = 1;
- return ret;
+ /*
+ * Setting the modified flag before signing it. This makes the cached
+ * encoding to be ignored, so even if the certificate fields have changed,
+ * they are signed correctly.
+ * The X509_sign_ctx, X509_REQ_sign{,_ctx}, X509_CRL_sign{,_ctx} functions
+ * which exist below are the same.
+ */
+ x->cert_info.enc.modified = 1;
+ return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+ &x->sig_alg, &x->signature, &x->cert_info, pkey,
+ md));
}
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
{
- int ret = 0;
-
- ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
- &x->cert_info.signature,
- &x->sig_alg, &x->signature, &x->cert_info, ctx);
- if (ret > 0)
- x->cert_info.enc.modified = 1;
- return ret;
+ x->cert_info.enc.modified = 1;
+ return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
+ &x->cert_info.signature,
+ &x->sig_alg, &x->signature, &x->cert_info, ctx);
}
#ifndef OPENSSL_NO_OCSP
@@ -73,48 +72,32 @@ int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- int ret = 0;
-
- ret = ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
- x->signature, &x->req_info, pkey, md);
- if (ret > 0)
- x->req_info.enc.modified = 1;
- return ret;
+ x->req_info.enc.modified = 1;
+ return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+ x->signature, &x->req_info, pkey, md));
}
int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
{
- int ret = 0;
-
- ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
- &x->sig_alg, NULL, x->signature, &x->req_info,
- ctx);
- if (ret > 0)
- x->req_info.enc.modified = 1;
- return ret;
+ x->req_info.enc.modified = 1;
+ return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
+ &x->sig_alg, NULL, x->signature, &x->req_info,
+ ctx);
}
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- int ret = 0;
-
- ret = ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
- &x->sig_alg, &x->signature, &x->crl, pkey, md);
- if (ret > 0)
- x->crl.enc.modified = 1;
- return ret;
+ x->crl.enc.modified = 1;
+ return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+ &x->sig_alg, &x->signature, &x->crl, pkey, md));
}
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
{
- int ret = 0;
-
- ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
- &x->crl.sig_alg, &x->sig_alg, &x->signature,
- &x->crl, ctx);
- if (ret > 0)
- x->crl.enc.modified = 1;
- return ret;
+ x->crl.enc.modified = 1;
+ return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
+ &x->crl.sig_alg, &x->sig_alg, &x->signature,
+ &x->crl, ctx);
}
#ifndef OPENSSL_NO_OCSP
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 17:07:26 +0000