diff options
author | David Benjamin <davidben@chromium.org> | 2015-02-16 21:15:53 -0500 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2015-02-17 23:15:47 +0000 |
commit | dd1ca99da4ba21684c4136a4ecb87d291d1792fa (patch) | |
tree | 5f62e249651e35930859a8aed8099f8344894945 | |
parent | 310db06b79a8a997e077dc88bb2327992fad37bb (diff) | |
download | boringssl-dd1ca99da4ba21684c4136a4ecb87d291d1792fa.zip boringssl-dd1ca99da4ba21684c4136a4ecb87d291d1792fa.tar.gz boringssl-dd1ca99da4ba21684c4136a4ecb87d291d1792fa.tar.bz2 |
Remove X509_get_pubkey_parameters.
It's never called in outside code. This too seems to be a remnant of the DSA
PKIX optional parameter stuff. This is confirmed both by a removed comment and
by the brief documentation at http://www.umich.edu/~x509/ssleay/x509_pkey.html
RFC 5480 does not allow ECDSA keys to be missing parameters, so this logic is
incorrect for ECDSA anyway. It was also failing to check
EVP_PKEY_copy_parameters' return value. And that logic looks pretty suspect if
you have a chain made up multiple certificate types.
Change-Id: Id6c60659a0162356c7f3eae5c797047366baae1c
Reviewed-on: https://boringssl-review.googlesource.com/3485
Reviewed-by: Adam Langley <agl@google.com>
-rw-r--r-- | crypto/x509/x509_vfy.c | 51 | ||||
-rw-r--r-- | include/openssl/x509.h | 2 |
2 files changed, 1 insertions, 52 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 28d2182..78e70a6 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -410,9 +410,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (!ok) goto end; - /* We may as well copy down any DSA parameters that are required */ - X509_get_pubkey_parameters(NULL,ctx->chain); - /* Check revocation status: we do this after copying parameters * because they may be needed for CRL signature verification. */ @@ -441,12 +438,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); - if(!ok) goto end; - if (0) - { + end: - X509_get_pubkey_parameters(NULL,ctx->chain); - } if (sktmp != NULL) sk_X509_free(sktmp); if (chain_ss != NULL) X509_free(chain_ss); return ok; @@ -1932,48 +1925,6 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, return ASN1_TIME_adj(s, t, offset_day, offset_sec); } -int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) - { - EVP_PKEY *ktmp=NULL,*ktmp2; - size_t i,j; - - if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; - - for (i=0; i<sk_X509_num(chain); i++) - { - ktmp=X509_get_pubkey(sk_X509_value(chain,i)); - if (ktmp == NULL) - { - OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); - return 0; - } - if (!EVP_PKEY_missing_parameters(ktmp)) - break; - else - { - EVP_PKEY_free(ktmp); - ktmp=NULL; - } - } - if (ktmp == NULL) - { - OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); - return 0; - } - - /* first, populate the other certs */ - for (j=i-1; j < i; j--) - { - ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); - EVP_PKEY_copy_parameters(ktmp2,ktmp); - EVP_PKEY_free(ktmp2); - } - - if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); - EVP_PKEY_free(ktmp); - return 1; - } - /* Make a delta CRL as the diff between two full CRLs */ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, diff --git a/include/openssl/x509.h b/include/openssl/x509.h index f500876..acdab6e 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -748,8 +748,6 @@ DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); OPENSSL_EXPORT EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key); -OPENSSL_EXPORT int X509_get_pubkey_parameters(EVP_PKEY *pkey, - STACK_OF(X509) *chain); OPENSSL_EXPORT int i2d_PUBKEY(const EVP_PKEY *a,unsigned char **pp); OPENSSL_EXPORT EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp, long length); |