cmp_util.c: Add OPENSSL_CTX parameter to ossl_cmp_build_cert_chain(), improve its doc

Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11808)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-05-13 16:03:26 +0200
committer: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-08-21 09:04:12 +0200
commit: 28e9f62b2dd5f59218bd7d5c3ef877dd06e5eb97 (patch)
tree: 0dcb04286e0915154867c5c3b56ed80916d5ca5f /crypto/cmp
parent: 1930b58642a67eecf23708aa71df9e193e849a3c (diff)
4 files changed, 16 insertions, 11 deletions
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 90d043c71c..8d21fa0b82 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -744,7 +744,9 @@ int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
                                     const ASN1_OCTET_STRING *src);
 int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
                                           const unsigned char *bytes, int len);
-STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert);
+STACK_OF(X509)
+    *ossl_cmp_build_cert_chain(OPENSSL_CTX *libctx, const char *propq,
+                               STACK_OF(X509) *certs, X509 *cert);
 
 /* from cmp_ctx.c */
 int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c
index 7c3d5bf730..ccb4516cde 100644
--- a/crypto/cmp/cmp_protect.c
+++ b/crypto/cmp/cmp_protect.c
@@ -154,7 +154,8 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
         /* if we have untrusted certs, try to add intermediate certs */
         if (ctx->untrusted_certs != NULL) {
             STACK_OF(X509) *chain =
-                ossl_cmp_build_cert_chain(ctx->untrusted_certs, ctx->cert);
+                ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq,
+                                          ctx->untrusted_certs, ctx->cert);
             int res = X509_add_certs(msg->extraCerts, chain,
                                      X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
                                      | X509_ADD_FLAG_NO_SS);
diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c
index 0ec69d0bb5..318314771e 100644
--- a/crypto/cmp/cmp_util.c
+++ b/crypto/cmp/cmp_util.c
@@ -206,19 +206,19 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
 }
 
 /*-
- * Builds up the certificate chain of certs as high up as possible using
- * the given list of certs containing all possible intermediate certificates and
- * optionally the (possible) trust anchor(s). See also ssl_add_cert_chain().
+ * Builds up the chain of intermediate CA certificates
+ * starting from of the given certificate <cert> as high up as possible using
+ * the given list of candidate certificates, similarly to ssl_add_cert_chain().
  *
  * Intended use of this function is to find all the certificates above the trust
  * anchor needed to verify an EE's own certificate.  Those are supposed to be
- * included in the ExtraCerts field of every first sent message of a transaction
+ * included in the ExtraCerts field of every first CMP message of a transaction
  * when MSG_SIG_ALG is utilized.
  *
  * NOTE: This allocates a stack and increments the reference count of each cert,
  * so when not needed any more the stack and all its elements should be freed.
- * NOTE: in case there is more than one possibility for the chain,
- * OpenSSL seems to take the first one, check X509_verify_cert() for details.
+ * NOTE: In case there is more than one possibility for the chain,
+ * OpenSSL seems to take the first one; check X509_verify_cert() for details.
  *
  * returns a pointer to a stack of (up_ref'ed) X509 certificates containing:
  *      - the EE certificate given in the function arguments (cert)
@@ -226,7 +226,9 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
  *        whereas the (self-signed) trust anchor is not included
  * returns NULL on error
  */
-STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert)
+STACK_OF(X509)
+    *ossl_cmp_build_cert_chain(OPENSSL_CTX *libctx, const char *propq,
+                               STACK_OF(X509) *certs, X509 *cert)
 {
     STACK_OF(X509) *chain = NULL, *result = NULL;
     X509_STORE *store = X509_STORE_new();
@@ -237,7 +239,7 @@ STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert)
         goto err;
     }
 
-    csc = X509_STORE_CTX_new();
+    csc = X509_STORE_CTX_new_with_libctx(libctx, propq);
     if (csc == NULL)
         goto err;
 
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 7ab96590a5..d4cececd61 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -151,7 +151,7 @@ int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
         return 0;
     }
 
-    if ((csc = X509_STORE_CTX_new()) == NULL
+    if ((csc = X509_STORE_CTX_new_with_libctx(ctx->libctx, ctx->propq)) == NULL
             || !X509_STORE_CTX_init(csc, trusted_store,
                                     cert, ctx->untrusted_certs))
         goto err;
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-05-13 16:03:26 +0200
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-08-21 09:04:12 +0200
commit	28e9f62b2dd5f59218bd7d5c3ef877dd06e5eb97 (patch)
tree	0dcb04286e0915154867c5c3b56ed80916d5ca5f /crypto/cmp
parent	1930b58642a67eecf23708aa71df9e193e849a3c (diff)