diff options
| author | Matt Caswell <matt@openssl.org> | 2020-04-03 18:01:04 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-04-16 14:19:51 +0100 |
| commit | 0820217441b68724d91b7644f3560e15149a1848 (patch) | |
| tree | 7a100589baf22f51c1c28d3041848875248a5cc7 /crypto | |
| parent | b27ed819431fb7f50ded6fcddfd25de079d7e808 (diff) | |
Create a libctx aware X509_verify_ex()
This is the same as X509_verify() except that it takes a libctx and propq
parameter and signature verification is done using those.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11507)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509/x509_vfy.c | 4 | ||||
| -rw-r--r-- | crypto/x509/x_all.c | 24 |
2 files changed, 20 insertions, 8 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 84a4bb2c60..c3eb261b94 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1763,7 +1763,7 @@ static int internal_verify(X509_STORE_CTX *ctx) if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) return 0; - } else if (X509_verify(xs, pkey) <= 0) { + } else if (X509_verify_ex(xs, pkey, ctx->libctx, ctx->propq) <= 0) { if (!verify_cb_cert(ctx, xs, n, X509_V_ERR_CERT_SIGNATURE_FAILURE)) return 0; @@ -2809,7 +2809,7 @@ static int check_dane_pkeys(X509_STORE_CTX *ctx) if (t->usage != DANETLS_USAGE_DANE_TA || t->selector != DANETLS_SELECTOR_SPKI || t->mtype != DANETLS_MATCHING_FULL || - X509_verify(cert, t->spki) <= 0) + X509_verify_ex(cert, t->spki, ctx->libctx, ctx->propq) <= 0) continue; /* Clear any PKIX-?? matches that failed to extend to a full chain */ diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 0f31c5155f..6d7f341c7f 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -34,13 +34,14 @@ static void clean_id_ctx(EVP_MD_CTX *ctx) EVP_MD_CTX_free(ctx); } -static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id) +static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id, + OPENSSL_CTX *libctx, const char *propq) { EVP_MD_CTX *ctx = NULL; EVP_PKEY_CTX *pctx = NULL; if ((ctx = EVP_MD_CTX_new()) == NULL - || (pctx = EVP_PKEY_CTX_new(r, NULL)) == NULL) { + || (pctx = EVP_PKEY_CTX_new_from_pkey(libctx, r, propq)) == NULL) { X509err(0, ERR_R_MALLOC_FAILURE); goto error; } @@ -63,7 +64,7 @@ static EVP_MD_CTX *make_id_ctx(EVP_PKEY *r, ASN1_OCTET_STRING *id) return NULL; } -int X509_verify(X509 *a, EVP_PKEY *r) +int X509_verify_ex(X509 *a, EVP_PKEY *r, OPENSSL_CTX *libctx, const char *propq) { int rv = 0; EVP_MD_CTX *ctx = NULL; @@ -73,7 +74,7 @@ int X509_verify(X509 *a, EVP_PKEY *r) return 0; id = a->distinguishing_id; - if ((ctx = make_id_ctx(r, id)) != NULL) { + if ((ctx = make_id_ctx(r, id, libctx, propq)) != NULL) { rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg, &a->signature, &a->cert_info, ctx); clean_id_ctx(ctx); @@ -81,14 +82,20 @@ int X509_verify(X509 *a, EVP_PKEY *r) return rv; } -int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) +int X509_verify(X509 *a, EVP_PKEY *r) +{ + return X509_verify_ex(a, r, NULL, NULL); +} + +int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OPENSSL_CTX *libctx, + const char *propq) { int rv = 0; EVP_MD_CTX *ctx = NULL; ASN1_OCTET_STRING *id = NULL; id = a->distinguishing_id; - if ((ctx = make_id_ctx(r, id)) != NULL) { + if ((ctx = make_id_ctx(r, id, libctx, propq)) != NULL) { rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg, a->signature, &a->req_info, ctx); clean_id_ctx(ctx); @@ -96,6 +103,11 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) return rv; } +int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) +{ + return X509_REQ_verify_ex(a, r, NULL, NULL); +} + int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) { return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), |