diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-23 16:06:05 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-02-18 16:50:12 +0100 |
commit | daf1300b80443b6bf0dec19085056ec407925d89 (patch) | |
tree | 037789ed2404c3265d4ae1592266744924b6a980 /crypto/cmp | |
parent | 937984efc6ed1664e5aeb0e06067d31520066960 (diff) |
Add internal X509_add_certs_new(), which simplifies matters
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14039)
Diffstat (limited to 'crypto/cmp')
-rw-r--r-- | crypto/cmp/cmp_ctx.c | 16 | ||||
-rw-r--r-- | crypto/cmp/cmp_local.h | 1 | ||||
-rw-r--r-- | crypto/cmp/cmp_msg.c | 12 | ||||
-rw-r--r-- | crypto/cmp/cmp_protect.c | 17 | ||||
-rw-r--r-- | crypto/cmp/cmp_util.c | 8 | ||||
-rw-r--r-- | crypto/cmp/cmp_vfy.c | 1 |
6 files changed, 20 insertions, 35 deletions
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 26274611a8..e65dabe323 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -12,7 +12,6 @@ #include <openssl/trace.h> #include <openssl/bio.h> #include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */ -#include "crypto/x509.h" /* for x509v3_cache_extensions() */ #include "cmp_local.h" @@ -65,15 +64,14 @@ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx) */ int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) { - STACK_OF(X509) *untrusted; + STACK_OF(X509) *untrusted = NULL; + if (ctx == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if ((untrusted = sk_X509_new_null()) == NULL) - return 0; - if (X509_add_certs(untrusted, certs, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) != 1) + if (!ossl_x509_add_certs_new(&untrusted, certs, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) goto err; sk_X509_pop_free(ctx->untrusted, X509_free); ctx->untrusted = untrusted; @@ -731,10 +729,8 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted, return 0; } - if (ctx->untrusted != NULL ? - !X509_add_certs(ctx->untrusted, candidates, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) : - !OSSL_CMP_CTX_set1_untrusted(ctx, candidates)) + if (!ossl_x509_add_certs_new(&ctx->untrusted, candidates, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) return 0; ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index c615865864..a4d3cf9ea4 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -23,6 +23,7 @@ # include <openssl/safestack.h> # include <openssl/x509.h> # include <openssl/x509v3.h> +# include "crypto/x509.h" /* * this structure is used to store the context for CMP sessions diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 4e94d5c1fd..36256b3d1d 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -19,7 +19,6 @@ #include <openssl/crmf.h> #include <openssl/err.h> #include <openssl/x509.h> -#include "crypto/x509.h" /* for x509_set0_libctx() */ OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg) { @@ -466,13 +465,10 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL) goto err; - if (sk_X509_num(chain) > 0) { - msg->extraCerts = sk_X509_new_reserve(NULL, sk_X509_num(chain)); - if (msg->extraCerts == NULL - || !X509_add_certs(msg->extraCerts, chain, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) - goto err; - } + if (sk_X509_num(chain) > 0 + && !ossl_x509_add_certs_new(&msg->extraCerts, chain, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) + goto err; if (!unprotectedErrors || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection) diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index fce2ebc468..aa51bbaa77 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -134,14 +134,10 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) if (!ossl_assert(ctx != NULL && msg != NULL)) return 0; - if (msg->extraCerts == NULL - && (msg->extraCerts = sk_X509_new_null()) == NULL) - return 0; - /* Add first ctx->cert and its chain if using signature-based protection */ if (!ctx->unprotectedSend && ctx->secretValue == NULL && ctx->cert != NULL && ctx->pkey != NULL) { - int flags_prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + int prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_PREPEND | X509_ADD_FLAG_NO_SS; /* if not yet done try to build chain using available untrusted certs */ @@ -162,20 +158,19 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) } } if (ctx->chain != NULL) { - if (!X509_add_certs(msg->extraCerts, ctx->chain, flags_prepend)) + if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->chain, prepend)) return 0; } else { /* make sure that at least our own signer cert is included first */ - if (!X509_add_cert(msg->extraCerts, ctx->cert, flags_prepend)) + if (!X509_add_cert_new(&msg->extraCerts, ctx->cert, prepend)) return 0; - ossl_cmp_debug(ctx, - "fallback: adding just own CMP signer cert"); + ossl_cmp_debug(ctx, "fallback: adding just own CMP signer cert"); } } /* add any additional certificates from ctx->extraCertsOut */ - if (!X509_add_certs(msg->extraCerts, ctx->extraCertsOut, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) + if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->extraCertsOut, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) return 0; /* in case extraCerts are empty list avoid empty ASN.1 sequence */ diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c index 4f9714a64a..d246047943 100644 --- a/crypto/cmp/cmp_util.c +++ b/crypto/cmp/cmp_util.c @@ -248,11 +248,9 @@ STACK_OF(X509) chain = X509_STORE_CTX_get0_chain(csc); /* result list to store the up_ref'ed not self-signed certificates */ - if ((result = sk_X509_new_null()) == NULL) - goto err; - if (!X509_add_certs(result, chain, - X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP - | X509_ADD_FLAG_NO_SS)) { + if (!ossl_x509_add_certs_new(&result, chain, + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + | X509_ADD_FLAG_NO_SS)) { sk_X509_free(result); result = NULL; } diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 8b6e856d1a..f525c691de 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -20,7 +20,6 @@ #include <openssl/crmf.h> #include <openssl/err.h> #include <openssl/x509.h> -#include "crypto/x509.h" /* Verify a message protected by signature according to RFC section 5.1.3.3 */ static int verify_signature(const OSSL_CMP_CTX *cmp_ctx, |