diff options
author | Gibeom Gwon <gb.gwon@stackframe.dev> | 2022-10-12 02:53:00 +0900 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-10-20 17:02:32 +0200 |
commit | 963e0bc43369a6dbe6644f709630f6c9f63dccf9 (patch) | |
tree | 95ccc46631b1e8a802d43d46d786564648b02e76 | |
parent | cd6e89b6b6ebe204cc442da9b563213bd67eb27f (diff) | |
download | openssl-new-963e0bc43369a6dbe6644f709630f6c9f63dccf9.tar.gz |
Fix no longer implicitly refresh the cached TBSCertificate
This reverts commit 9249a34b076df9a9d55ab74ab465d336980cae6a.
Fixes #19388
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19393)
-rw-r--r-- | crypto/x509/x_all.c | 80 |
1 files changed, 32 insertions, 48 deletions
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index a8d36f1e59..b7806c1ec1 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -59,34 +59,34 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { - int ret; - if (x == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); return 0; } - ret = ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, - &x->sig_alg, &x->signature, &x->cert_info, NULL, - pkey, md, x->libctx, x->propq); - if (ret > 0) - x->cert_info.enc.modified = 1; - return ret; + + /* + * Setting the modified flag before signing it. This makes the cached + * encoding to be ignored, so even if the certificate fields have changed, + * they are signed correctly. + * The X509_sign_ctx, X509_REQ_sign{,_ctx}, X509_CRL_sign{,_ctx} functions + * which exist below are the same. + */ + x->cert_info.enc.modified = 1; + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, + &x->sig_alg, &x->signature, &x->cert_info, NULL, + pkey, md, x->libctx, x->propq); } int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) { - int ret; - if (x == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); return 0; } - ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), - &x->cert_info.signature, - &x->sig_alg, &x->signature, &x->cert_info, ctx); - if (ret > 0) - x->cert_info.enc.modified = 1; - return ret; + x->cert_info.enc.modified = 1; + return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), + &x->cert_info.signature, + &x->sig_alg, &x->signature, &x->cert_info, ctx); } static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio, @@ -111,66 +111,50 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) { - int ret; - if (x == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); return 0; } - ret = ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, - x->signature, &x->req_info, NULL, - pkey, md, x->libctx, x->propq); - if (ret > 0) - x->req_info.enc.modified = 1; - return ret; + x->req_info.enc.modified = 1; + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, + x->signature, &x->req_info, NULL, + pkey, md, x->libctx, x->propq); } int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) { - int ret; - if (x == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); return 0; } - ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), - &x->sig_alg, NULL, x->signature, &x->req_info, - ctx); - if (ret > 0) - x->req_info.enc.modified = 1; - return ret; + x->req_info.enc.modified = 1; + return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), + &x->sig_alg, NULL, x->signature, &x->req_info, + ctx); } int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) { - int ret; - if (x == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); return 0; } - ret = ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, - &x->sig_alg, &x->signature, &x->crl, NULL, - pkey, md, x->libctx, x->propq); - if (ret > 0) - x->crl.enc.modified = 1; - return ret; + x->crl.enc.modified = 1; + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, + &x->sig_alg, &x->signature, &x->crl, NULL, + pkey, md, x->libctx, x->propq); } int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) { - int ret; - if (x == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); return 0; } - ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), - &x->crl.sig_alg, &x->sig_alg, &x->signature, - &x->crl, ctx); - if (ret > 0) - x->crl.enc.modified = 1; - return ret; + x->crl.enc.modified = 1; + return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), + &x->crl.sig_alg, &x->sig_alg, &x->signature, + &x->crl, ctx); } X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) |