when importing a certificate, keep the DER data

Conflicts: lib/x509/verify.c
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-08-29 15:17:42 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-09-04 10:47:16 +0200
commit: 7ef5f090715f7cb0200f9749061019a53f1bbed7 (patch)
tree: dfa36ca0b51382155cc8e9a92659f1365d4fb4c6
parent: 9925d30b4c702449a9b5a68c31f6bbf3201f1f79 (diff)
download: gnutls-7ef5f090715f7cb0200f9749061019a53f1bbed7.tar.gz
6 files changed, 44 insertions, 61 deletions
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 506d26909d..af7ce14f8b 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1492,16 +1492,22 @@ _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name,
  * returns them into signed_data.
  */
 int
-_gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
+_gnutls_x509_get_signed_data(ASN1_TYPE src,  const gnutls_datum *_der,
+			     const char *src_name,
 			     gnutls_datum_t * signed_data)
 {
-	gnutls_datum_t der;
 	int start, end, result;
+	gnutls_datum_t der;
 
-	result = _gnutls_x509_der_encode(src, "", &der, 0);
-	if (result < 0) {
-		gnutls_assert();
-		return result;
+	if (_der == NULL) {
+		result = _gnutls_x509_der_encode(src, "", &der, 0);
+		if (result < 0) {
+			gnutls_assert();
+			return result;
+		}
+	} else {
+		der.data = _der->data;
+		der.size = _der->size;
 	}
 
 	/* Get the signed data
@@ -1526,7 +1532,8 @@ _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
 	result = 0;
 
       cleanup:
-	_gnutls_free_datum(&der);
+	if (_der == NULL)
+		_gnutls_free_datum(&der);
 
 	return result;
 }
diff --git a/lib/x509/common.h b/lib/x509/common.h
index a1b2f680aa..20b0467950 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -148,7 +148,8 @@ int _gnutls_x509_encode_PKI_params(gnutls_datum_t * der,
 int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name,
 			   ASN1_TYPE src, const char *src_name);
 
-int _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
+int _gnutls_x509_get_signed_data(ASN1_TYPE src, const gnutls_datum_t *der,
+				 const char *src_name,
 				 gnutls_datum_t * signed_data);
 int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name,
 			       gnutls_datum_t * signature);
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 4e28fedd7c..efd587332e 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2495,7 +2495,7 @@ int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags)
 	gnutls_pk_params_init(&params);
 
 	ret =
-	    _gnutls_x509_get_signed_data(crq->crq,
+	    _gnutls_x509_get_signed_data(crq->crq, NULL,
 					 "certificationRequestInfo",
 					 &data);
 	if (ret < 0) {
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index a1d56a7a4f..ac666e5bee 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -42,37 +42,18 @@ int
 _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
 			   gnutls_x509_crt_t cert2)
 {
-	gnutls_datum_t cert1bin = { NULL, 0 }, cert2bin = {
-	NULL, 0};
 	int result;
 
 	result = _gnutls_is_same_dn(cert1, cert2);
 	if (result == 0)
 		return 0;
 
-	result = _gnutls_x509_der_encode(cert1->cert, "", &cert1bin, 0);
-	if (result < 0) {
-		result = 0;
-		gnutls_assert();
-		goto cleanup;
-	}
-
-	result = _gnutls_x509_der_encode(cert2->cert, "", &cert2bin, 0);
-	if (result < 0) {
-		result = 0;
-		gnutls_assert();
-		goto cleanup;
-	}
-
-	if ((cert1bin.size == cert2bin.size) &&
-	    (memcmp(cert1bin.data, cert2bin.data, cert1bin.size) == 0))
+	if ((cert1->der.size == cert2->der.size) &&
+	    (memcmp(cert1->der.data, cert2->der.data, cert1->der.size) == 0))
 		result = 1;
 	else
 		result = 0;
 
-      cleanup:
-	_gnutls_free_datum(&cert1bin);
-	_gnutls_free_datum(&cert2bin);
 	return result;
 }
 
@@ -80,24 +61,14 @@ int
 _gnutls_check_if_same_cert2(gnutls_x509_crt_t cert1,
 			    gnutls_datum_t * cert2bin)
 {
-	gnutls_datum_t cert1bin = { NULL, 0 };
 	int result;
 
-	result = _gnutls_x509_der_encode(cert1->cert, "", &cert1bin, 0);
-	if (result < 0) {
-		result = 0;
-		gnutls_assert();
-		goto cleanup;
-	}
-
-	if ((cert1bin.size == cert2bin->size) &&
-	    (memcmp(cert1bin.data, cert2bin->data, cert1bin.size) == 0))
+	if ((cert1->der.size == cert2bin->size) &&
+	    (memcmp(cert1->der.data, cert2bin->data, cert1->der.size) == 0))
 		result = 1;
 	else
 		result = 0;
 
-      cleanup:
-	_gnutls_free_datum(&cert1bin);
 	return result;
 }
 
@@ -125,7 +96,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
 	 */
 
 	result =
-	    _gnutls_x509_get_signed_data(issuer->cert, "tbsCertificate",
+	    _gnutls_x509_get_signed_data(issuer->cert, &issuer->der, "tbsCertificate",
 					 &issuer_signed_data);
 	if (result < 0) {
 		gnutls_assert();
@@ -133,7 +104,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
 	}
 
 	result =
-	    _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate",
+	    _gnutls_x509_get_signed_data(cert->cert, &cert->der, "tbsCertificate",
 					 &cert_signed_data);
 	if (result < 0) {
 		gnutls_assert();
@@ -466,7 +437,7 @@ _gnutls_verify_certificate2(gnutls_x509_crt_t cert,
 	}
 
 	result =
-	    _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate",
+	    _gnutls_x509_get_signed_data(cert->cert, &cert->der, "tbsCertificate",
 					 &cert_signed_data);
 	if (result < 0) {
 		gnutls_assert();
@@ -1123,7 +1094,7 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
 	}
 
 	result =
-	    _gnutls_x509_get_signed_data(crl->crl, "tbsCertList",
+	    _gnutls_x509_get_signed_data(crl->crl, NULL, "tbsCertList",
 					 &crl_signed_data);
 	if (result < 0) {
 		gnutls_assert();
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 2d642e04e8..0fbc2823f8 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -136,6 +136,7 @@ void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert)
 		asn1_delete_structure(&cert->cert);
 	gnutls_free(cert->raw_dn.data);
 	gnutls_free(cert->raw_issuer_dn.data);
+	gnutls_free(cert->der.data);
 	gnutls_free(cert);
 }
 
@@ -160,16 +161,17 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 		       const gnutls_datum_t * data,
 		       gnutls_x509_crt_fmt_t format)
 {
-	int result = 0, need_free = 0;
-	gnutls_datum_t _data;
+	int result = 0;
 
 	if (cert == NULL) {
 		gnutls_assert();
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	_data.data = data->data;
-	_data.size = data->size;
+	if (cert->der.data) {
+		gnutls_free(cert->der.data);
+		cert->der.data = NULL;
+	}
 
 	/* If the Certificate is in PEM format then decode it
 	 */
@@ -177,22 +179,26 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 		/* Try the first header */
 		result =
 		    _gnutls_fbase64_decode(PEM_X509_CERT2, data->data,
-					   data->size, &_data);
+					   data->size, &cert->der);
 
 		if (result <= 0) {
 			/* try for the second header */
 			result =
 			    _gnutls_fbase64_decode(PEM_X509_CERT,
 						   data->data, data->size,
-						   &_data);
+						   &cert->der);
 
 			if (result < 0) {
 				gnutls_assert();
 				return result;
 			}
 		}
-
-		need_free = 1;
+	} else {
+		result = _gnutls_set_datum(&cert->der, data->data, data->size);
+		if (result < 0) {
+			gnutls_assert();
+			return result;
+		}
 	}
 
 	if (cert->expanded) {
@@ -214,14 +220,14 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 	}
 
 	result =
-	    asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL);
+	    asn1_der_decoding(&cert->cert, cert->der.data, cert->der.size, NULL);
 	if (result != ASN1_SUCCESS) {
 		result = _gnutls_asn2err(result);
 		gnutls_assert();
 		goto cleanup;
 	}
 
-	result = _gnutls_x509_get_raw_dn2(cert->cert, &_data,
+	result = _gnutls_x509_get_raw_dn2(cert->cert, &cert->der,
 					  "tbsCertificate.issuer.rdnSequence",
 					  &cert->raw_issuer_dn);
 	if (result < 0) {
@@ -229,7 +235,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 		goto cleanup;
 	}
 
-	result = _gnutls_x509_get_raw_dn2(cert->cert, &_data,
+	result = _gnutls_x509_get_raw_dn2(cert->cert, &cert->der,
 					  "tbsCertificate.subject.rdnSequence",
 					  &cert->raw_dn);
 	if (result < 0) {
@@ -242,14 +248,11 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 	/* Since we do not want to disable any extension
 	 */
 	cert->use_extensions = 1;
-	if (need_free)
-		_gnutls_free_datum(&_data);
 
 	return 0;
 
       cleanup:
-	if (need_free)
-		_gnutls_free_datum(&_data);
+	_gnutls_free_datum(&cert->der);
 	_gnutls_free_datum(&cert->raw_dn);
 	_gnutls_free_datum(&cert->raw_issuer_dn);
 	return result;
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 1648dcdb2a..e28c88b42d 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -56,6 +56,7 @@ typedef struct gnutls_x509_crt_int {
 	gnutls_datum_t raw_dn;
 	gnutls_datum_t raw_issuer_dn;
 
+	gnutls_datum_t der;
 	struct pin_info_st pin;
 } gnutls_x509_crt_int;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-08-29 15:17:42 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-09-04 10:47:16 +0200
commit	7ef5f090715f7cb0200f9749061019a53f1bbed7 (patch)
tree	dfa36ca0b51382155cc8e9a92659f1365d4fb4c6
parent	9925d30b4c702449a9b5a68c31f6bbf3201f1f79 (diff)
download	gnutls-7ef5f090715f7cb0200f9749061019a53f1bbed7.tar.gz