diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-28 12:42:47 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-05 19:33:33 +0200 |
| commit | 0b86eefd431dd05a0ba87b2f67a6b99def89b6d5 (patch) | |
| tree | 87fe7baf949fbfbffd47f529432ef41f6f7a8237 /crypto/cmp | |
| parent | 15076c26d794dbbdc5413a72e7feded0c9a2ba07 (diff) | |
OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12788)
Diffstat (limited to 'crypto/cmp')
| -rw-r--r-- | crypto/cmp/cmp_client.c | 2 | ||||
| -rw-r--r-- | crypto/cmp/cmp_ctx.c | 30 | ||||
| -rw-r--r-- | crypto/cmp/cmp_local.h | 2 | ||||
| -rw-r--r-- | crypto/cmp/cmp_protect.c | 6 | ||||
| -rw-r--r-- | crypto/cmp/cmp_vfy.c | 16 |
5 files changed, 28 insertions, 28 deletions
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index b7319372e6..d5a4f3ced5 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -469,7 +469,7 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, /*- * Callback fn validating that the new certificate can be verified, using * ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and - * ctx->untrusted_certs, which at this point already contains ctx->extraCertsIn. + * ctx->untrusted, which at this point already contains ctx->extraCertsIn. * Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo. * Quoting from RFC 4210 section 5.1. Overall PKI Message: * The extraCerts field can contain certificates that may be useful to diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index adb3ff564b..5b61108f8b 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -57,36 +57,36 @@ int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store) } /* Get current list of non-trusted intermediate certs */ -STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx) +STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx) { if (ctx == NULL) { CMPerr(0, CMP_R_NULL_ARGUMENT); return NULL; } - return ctx->untrusted_certs; + return ctx->untrusted; } /* * Set untrusted certificates for path construction in authentication of * the CMP server and potentially others (TLS server, newly enrolled cert). */ -int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) +int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) { - STACK_OF(X509) *untrusted_certs; + STACK_OF(X509) *untrusted; if (ctx == NULL) { CMPerr(0, CMP_R_NULL_ARGUMENT); return 0; } - if ((untrusted_certs = sk_X509_new_null()) == NULL) + if ((untrusted = sk_X509_new_null()) == NULL) return 0; - if (X509_add_certs(untrusted_certs, certs, + if (X509_add_certs(untrusted, certs, X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) != 1) goto err; - sk_X509_pop_free(ctx->untrusted_certs, X509_free); - ctx->untrusted_certs = untrusted_certs; + sk_X509_pop_free(ctx->untrusted, X509_free); + ctx->untrusted = untrusted; return 1; err: - sk_X509_pop_free(untrusted_certs, X509_free); + sk_X509_pop_free(untrusted, X509_free); return 0; } @@ -126,7 +126,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OPENSSL_CTX *libctx, const char *propq) ctx->msg_timeout = 2 * 60; - if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL) + if ((ctx->untrusted = sk_X509_new_null()) == NULL) goto err; ctx->pbm_slen = 16; @@ -186,7 +186,7 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx) X509_free(ctx->validatedSrvCert); X509_NAME_free(ctx->expected_sender); X509_STORE_free(ctx->trusted); - sk_X509_pop_free(ctx->untrusted_certs, X509_free); + sk_X509_pop_free(ctx->untrusted, X509_free); X509_free(ctx->cert); EVP_PKEY_free(ctx->pkey); @@ -752,15 +752,15 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted, return 0; } - if (ctx->untrusted_certs != NULL ? - !X509_add_certs(ctx->untrusted_certs, candidates, + if (ctx->untrusted != NULL ? + !X509_add_certs(ctx->untrusted, candidates, X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) : - !OSSL_CMP_CTX_set1_untrusted_certs(ctx, candidates)) + !OSSL_CMP_CTX_set1_untrusted(ctx, candidates)) return 0; ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, own_trusted, - ctx->untrusted_certs, ctx->cert); + ctx->untrusted, ctx->cert); if (chain == NULL) { CMPerr(0, CMP_R_FAILED_BUILDING_OWN_CHAIN); return 0; diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index e3dcb94704..d5ac7a521d 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -60,7 +60,7 @@ struct ossl_cmp_ctx_st { X509 *validatedSrvCert; /* caches any already validated server cert */ X509_NAME *expected_sender; /* expected sender in header of response */ X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */ - STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */ + STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */ int ignore_keyusage; /* ignore key usage entry when validating certs */ /* * permitTAInExtraCertsForIR allows use of root certs in extracerts diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 2a008bd0bf..b65de09517 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -146,14 +146,14 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) | X509_ADD_FLAG_PREPEND)) return 0; /* if we have untrusted certs, try to add intermediate certs */ - if (ctx->untrusted_certs != NULL) { + if (ctx->untrusted != NULL) { STACK_OF(X509) *chain; int res; ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, NULL, - ctx->untrusted_certs, ctx->cert); + ctx->untrusted, ctx->cert); res = X509_add_certs(msg->extraCerts, chain, X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_NO_SS); @@ -298,7 +298,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) /* * will add ctx->cert followed, if possible, by its chain built - * from ctx->untrusted_certs, and then ctx->extraCertsOut + * from ctx->untrusted, and then ctx->extraCertsOut */ } else { CMPerr(0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION); diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 86e39d262e..9b8a88f94b 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -122,7 +122,7 @@ int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx, if ((csc = X509_STORE_CTX_new_with_libctx(ctx->libctx, ctx->propq)) == NULL || !X509_STORE_CTX_init(csc, trusted_store, - cert, ctx->untrusted_certs)) + cert, ctx->untrusted)) goto err; valid = X509_verify_cert(csc) > 0; @@ -398,7 +398,7 @@ static int check_msg_with_certs(OSSL_CMP_CTX *ctx, const STACK_OF(X509) *certs, } /*- - * Verify msg trying first ctx->untrusted_certs, which should include extraCerts + * Verify msg trying first ctx->untrusted, which should include extraCerts * at its front, then trying the trusted certs in truststore (if any) of ctx. * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert(). */ @@ -418,7 +418,7 @@ static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, if (check_msg_with_certs(ctx, msg->extraCerts, "extraCerts", NULL, NULL, msg, mode_3gpp)) return 1; - if (check_msg_with_certs(ctx, ctx->untrusted_certs, "untrusted certs", + if (check_msg_with_certs(ctx, ctx->untrusted, "untrusted certs", msg->extraCerts, NULL, msg, mode_3gpp)) return 1; @@ -430,7 +430,7 @@ static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, ret = check_msg_with_certs(ctx, trusted, mode_3gpp ? "self-issued extraCerts" : "certs in trusted store", - msg->extraCerts, ctx->untrusted_certs, + msg->extraCerts, ctx->untrusted, msg, mode_3gpp); sk_X509_pop_free(trusted, X509_free); } @@ -536,7 +536,7 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) * Validate the protection of the given PKIMessage using either password- * based mac (PBM) or a signature algorithm. In the case of signature algorithm, * the sender certificate can have been pinned by providing it in ctx->srvCert, - * else it is searched in msg->extraCerts, ctx->untrusted_certs, in ctx->trusted + * else it is searched in msg->extraCerts, ctx->untrusted, in ctx->trusted * (in this order) and is path is validated against ctx->trusted. * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert(). * @@ -636,7 +636,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) /*- * Check received message (i.e., response by server or request from client) - * Any msg->extraCerts are prepended to ctx->untrusted_certs. + * Any msg->extraCerts are prepended to ctx->untrusted. * * Ensures that: * its sender is of appropriate type (curently only X509_NAME) and @@ -693,7 +693,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, * extraCerts because they do not belong to the protected msg part anyway. * For efficiency, the extraCerts are prepended so they get used first. */ - if (!X509_add_certs(ctx->untrusted_certs, msg->extraCerts, + if (!X509_add_certs(ctx->untrusted, msg->extraCerts, /* this allows self-signed certs */ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_PREPEND)) @@ -775,7 +775,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, * the peer does not need to send them again in the same transaction. * For efficiency, the extraCerts are prepended so they get used first. */ - if (!X509_add_certs(ctx->untrusted_certs, msg->extraCerts, + if (!X509_add_certs(ctx->untrusted, msg->extraCerts, /* this allows self-signed certs */ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_PREPEND)) |