diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-05-13 16:03:26 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-21 09:04:12 +0200 |
commit | 28e9f62b2dd5f59218bd7d5c3ef877dd06e5eb97 (patch) | |
tree | 0dcb04286e0915154867c5c3b56ed80916d5ca5f /crypto/cmp | |
parent | 1930b58642a67eecf23708aa71df9e193e849a3c (diff) |
cmp_util.c: Add OPENSSL_CTX parameter to ossl_cmp_build_cert_chain(), improve its doc
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
Diffstat (limited to 'crypto/cmp')
-rw-r--r-- | crypto/cmp/cmp_local.h | 4 | ||||
-rw-r--r-- | crypto/cmp/cmp_protect.c | 3 | ||||
-rw-r--r-- | crypto/cmp/cmp_util.c | 18 | ||||
-rw-r--r-- | crypto/cmp/cmp_vfy.c | 2 |
4 files changed, 16 insertions, 11 deletions
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 90d043c71c..8d21fa0b82 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -744,7 +744,9 @@ int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, const ASN1_OCTET_STRING *src); int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, const unsigned char *bytes, int len); -STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert); +STACK_OF(X509) + *ossl_cmp_build_cert_chain(OPENSSL_CTX *libctx, const char *propq, + STACK_OF(X509) *certs, X509 *cert); /* from cmp_ctx.c */ int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx, diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 7c3d5bf730..ccb4516cde 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -154,7 +154,8 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) /* if we have untrusted certs, try to add intermediate certs */ if (ctx->untrusted_certs != NULL) { STACK_OF(X509) *chain = - ossl_cmp_build_cert_chain(ctx->untrusted_certs, ctx->cert); + ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, + ctx->untrusted_certs, ctx->cert); int res = X509_add_certs(msg->extraCerts, chain, X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_NO_SS); diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c index 0ec69d0bb5..318314771e 100644 --- a/crypto/cmp/cmp_util.c +++ b/crypto/cmp/cmp_util.c @@ -206,19 +206,19 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, } /*- - * Builds up the certificate chain of certs as high up as possible using - * the given list of certs containing all possible intermediate certificates and - * optionally the (possible) trust anchor(s). See also ssl_add_cert_chain(). + * Builds up the chain of intermediate CA certificates + * starting from of the given certificate <cert> as high up as possible using + * the given list of candidate certificates, similarly to ssl_add_cert_chain(). * * Intended use of this function is to find all the certificates above the trust * anchor needed to verify an EE's own certificate. Those are supposed to be - * included in the ExtraCerts field of every first sent message of a transaction + * included in the ExtraCerts field of every first CMP message of a transaction * when MSG_SIG_ALG is utilized. * * NOTE: This allocates a stack and increments the reference count of each cert, * so when not needed any more the stack and all its elements should be freed. - * NOTE: in case there is more than one possibility for the chain, - * OpenSSL seems to take the first one, check X509_verify_cert() for details. + * NOTE: In case there is more than one possibility for the chain, + * OpenSSL seems to take the first one; check X509_verify_cert() for details. * * returns a pointer to a stack of (up_ref'ed) X509 certificates containing: * - the EE certificate given in the function arguments (cert) @@ -226,7 +226,9 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, * whereas the (self-signed) trust anchor is not included * returns NULL on error */ -STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert) +STACK_OF(X509) + *ossl_cmp_build_cert_chain(OPENSSL_CTX *libctx, const char *propq, + STACK_OF(X509) *certs, X509 *cert) { STACK_OF(X509) *chain = NULL, *result = NULL; X509_STORE *store = X509_STORE_new(); @@ -237,7 +239,7 @@ STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert) goto err; } - csc = X509_STORE_CTX_new(); + csc = X509_STORE_CTX_new_with_libctx(libctx, propq); if (csc == NULL) goto err; diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 7ab96590a5..d4cececd61 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -151,7 +151,7 @@ int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx, return 0; } - if ((csc = X509_STORE_CTX_new()) == NULL + if ((csc = X509_STORE_CTX_new_with_libctx(ctx->libctx, ctx->propq)) == NULL || !X509_STORE_CTX_init(csc, trusted_store, cert, ctx->untrusted_certs)) goto err; |