diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-07-24 22:53:27 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2020-07-24 22:53:27 +1000 |
commit | 6725682d77510bf6d499957897d7be124d603f40 (patch) | |
tree | 447e5bce5607b4873f7f018df1b2e4c21a394e92 /include/openssl | |
parent | ae89578be2930c726d6ef56451233757a89f224f (diff) | |
download | openssl-new-6725682d77510bf6d499957897d7be124d603f40.tar.gz |
Add X509 related libctx changes.
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12153)
Diffstat (limited to 'include/openssl')
-rw-r--r-- | include/openssl/pem.h | 9 | ||||
-rw-r--r-- | include/openssl/ssl.h | 3 | ||||
-rw-r--r-- | include/openssl/store.h | 35 | ||||
-rw-r--r-- | include/openssl/x509.h | 6 | ||||
-rw-r--r-- | include/openssl/x509_vfy.h | 46 | ||||
-rw-r--r-- | include/openssl/x509v3.h | 2 |
6 files changed, 80 insertions, 21 deletions
diff --git a/include/openssl/pem.h b/include/openssl/pem.h index fb63b93db8..f4989e3987 100644 --- a/include/openssl/pem.h +++ b/include/openssl/pem.h @@ -286,6 +286,11 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); +STACK_OF(X509_INFO) +*PEM_X509_INFO_read_bio_with_libctx(BIO *bp, STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, void *u, + OPENSSL_CTX *libctx, const char *propq); + int PEM_X509_INFO_write_bio(BIO *bp, const X509_INFO *xi, EVP_CIPHER *enc, const unsigned char *kstr, int klen, pem_password_cb *cd, void *u); @@ -303,6 +308,10 @@ int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, pem_password_cb *callback, void *u); STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); +STACK_OF(X509_INFO) +*PEM_X509_INFO_read_with_libctx(FILE *fp, STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, void *u, + OPENSSL_CTX *libctx, const char *propq); #endif int PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index c030346760..bc003bc4fa 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1629,6 +1629,9 @@ __owur int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, __owur int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); __owur int SSL_use_certificate_chain_file(SSL *ssl, const char *file); __owur STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); +__owur STACK_OF(X509_NAME) +*SSL_load_client_CA_file_with_libctx(const char *file, + OPENSSL_CTX *libctx, const char *propq); __owur int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *file); int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, diff --git a/include/openssl/store.h b/include/openssl/store.h index ffea2df15b..d5e72a0963 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -57,6 +57,11 @@ OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, OSSL_STORE_post_process_info_fn post_process, void *post_process_data); +OSSL_STORE_CTX *OSSL_STORE_open_with_libctx + (const char *uri, OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data, + OSSL_STORE_post_process_info_fn post_process, void *post_process_data); + /* * Control / fine tune the OSSL_STORE channel. |cmd| determines what is to be * done, and depends on the underlying loader (use OSSL_STORE_get0_scheme to @@ -115,8 +120,8 @@ int OSSL_STORE_close(OSSL_STORE_CTX *ctx); * Note that this function is considered unsafe, all depending on what the * BIO actually reads. */ -OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, OPENSSL_CTX *libctx, - const char *scheme, const char *propq, +OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bio, const char *scheme, + OPENSSL_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, OSSL_STORE_post_process_info_fn post_process, void *post_process_data); @@ -239,21 +244,20 @@ const ENGINE *OSSL_STORE_LOADER_get0_engine(const OSSL_STORE_LOADER *loader); const char *OSSL_STORE_LOADER_get0_scheme(const OSSL_STORE_LOADER *loader); /* struct ossl_store_loader_ctx_st is defined differently by each loader */ typedef struct ossl_store_loader_ctx_st OSSL_STORE_LOADER_CTX; -typedef OSSL_STORE_LOADER_CTX *(*OSSL_STORE_open_fn)(const OSSL_STORE_LOADER - *loader, - const char *uri, - const UI_METHOD *ui_method, - void *ui_data); +typedef OSSL_STORE_LOADER_CTX *(*OSSL_STORE_open_fn) + (const OSSL_STORE_LOADER *loader, const char *uri, + const UI_METHOD *ui_method, void *ui_data); +typedef OSSL_STORE_LOADER_CTX *(*OSSL_STORE_open_with_libctx_fn) + (const OSSL_STORE_LOADER *loader, + const char *uri, OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data); + int OSSL_STORE_LOADER_set_open(OSSL_STORE_LOADER *loader, OSSL_STORE_open_fn open_function); -typedef OSSL_STORE_LOADER_CTX *(*OSSL_STORE_attach_fn)(const OSSL_STORE_LOADER - *loader, - BIO *bio, - OPENSSL_CTX *libctx, - const char *propq, - const UI_METHOD - *ui_method, - void *ui_data); +typedef OSSL_STORE_LOADER_CTX *(*OSSL_STORE_attach_fn) + (const OSSL_STORE_LOADER *loader, BIO *bio, + OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data); int OSSL_STORE_LOADER_set_attach(OSSL_STORE_LOADER *loader, OSSL_STORE_attach_fn attach_function); typedef int (*OSSL_STORE_ctrl_fn)(OSSL_STORE_LOADER_CTX *ctx, int cmd, @@ -272,6 +276,7 @@ typedef OSSL_STORE_INFO *(*OSSL_STORE_load_fn)(OSSL_STORE_LOADER_CTX *ctx, void *ui_data); int OSSL_STORE_LOADER_set_load(OSSL_STORE_LOADER *loader, OSSL_STORE_load_fn load_function); + typedef int (*OSSL_STORE_eof_fn)(OSSL_STORE_LOADER_CTX *ctx); int OSSL_STORE_LOADER_set_eof(OSSL_STORE_LOADER *loader, OSSL_STORE_eof_fn eof_function); diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 2212ceeedc..935699a55a 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -343,12 +343,11 @@ void *X509_CRL_get_meth_data(X509_CRL *crl); const char *X509_verify_cert_error_string(long n); -int X509_verify_ex(X509 *a, EVP_PKEY *r, OPENSSL_CTX *libctx, const char *propq); int X509_verify(X509 *a, EVP_PKEY *r); int X509_self_signed(X509 *cert, int verify_signature); -int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OPENSSL_CTX *libctx, - const char *propq); +int X509_REQ_verify_with_libctx(X509_REQ *a, EVP_PKEY *r, OPENSSL_CTX *libctx, + const char *propq); int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r); int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r); int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r); @@ -558,6 +557,7 @@ int X509_NAME_set(X509_NAME **xn, const X509_NAME *name); DECLARE_ASN1_FUNCTIONS(X509_CINF) DECLARE_ASN1_FUNCTIONS(X509) +X509 *X509_new_with_libctx(OPENSSL_CTX *libctx, const char *propq); DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) #define X509_get_ex_new_index(l, p, newf, dupf, freef) \ diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 5cd123f635..2d3bd70ae2 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -88,7 +88,6 @@ typedef STACK_OF(X509_CRL) const X509_NAME *nm); typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); - void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_STORE_CTX_set_app_data(ctx,data) \ @@ -113,6 +112,19 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_LOOKUP_load_store(x,name) \ X509_LOOKUP_ctrl((x),X509_L_LOAD_STORE,(name),0,NULL) +# define X509_LOOKUP_load_file_with_libctx(x, name, type, libctx, propq) \ +X509_LOOKUP_ctrl_with_libctx((x), X509_L_FILE_LOAD, (name), (long)(type), NULL,\ + (libctx), (propq)) + +# define X509_LOOKUP_load_store_with_libctx(x, name, libctx, propq) \ +X509_LOOKUP_ctrl_with_libctx((x), X509_L_LOAD_STORE, (name), 0, NULL, \ + (libctx), (propq)) + +# define X509_LOOKUP_add_store_with_libctx(x, name, libctx, propq) \ +X509_LOOKUP_ctrl_with_libctx((x), X509_L_ADD_STORE, (name), 0, NULL, \ + (libctx), (propq)) + + # define X509_V_OK 0 # define X509_V_ERR_UNSPECIFIED 1 # define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 @@ -404,10 +416,20 @@ X509_LOOKUP_METHOD *X509_LOOKUP_store(void); typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); +typedef int (*X509_LOOKUP_ctrl_with_libctx_fn)( + X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret, + OPENSSL_CTX *libctx, const char *propq); + typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, const X509_NAME *name, X509_OBJECT *ret); +typedef int (*X509_LOOKUP_get_by_subject_with_libctx_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const X509_NAME *name, + X509_OBJECT *ret, + OPENSSL_CTX *libctx, + const char *propq); typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, const X509_NAME *name, @@ -484,16 +506,27 @@ X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); +int X509_LOOKUP_ctrl_with_libctx(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret, + OPENSSL_CTX *libctx, const char *propq); int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type); +int X509_load_cert_file_with_libctx(X509_LOOKUP *ctx, const char *file, int type, + OPENSSL_CTX *libctx, const char *propq); int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type); int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type); +int X509_load_cert_crl_file_with_libctx(X509_LOOKUP *ctx, const char *file, + int type, OPENSSL_CTX *libctx, + const char *propq); X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); void X509_LOOKUP_free(X509_LOOKUP *ctx); int X509_LOOKUP_init(X509_LOOKUP *ctx); int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, const X509_NAME *name, X509_OBJECT *ret); +int X509_LOOKUP_by_subject_with_libctx(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + const X509_NAME *name, X509_OBJECT *ret, + OPENSSL_CTX *libctx, const char *propq); int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, const X509_NAME *name, const ASN1_INTEGER *serial, @@ -516,6 +549,17 @@ int X509_STORE_load_locations(X509_STORE *ctx, const char *dir); int X509_STORE_set_default_paths(X509_STORE *ctx); +int X509_STORE_load_file_with_libctx(X509_STORE *ctx, const char *file, + OPENSSL_CTX *libctx, const char *propq); +int X509_STORE_load_store_with_libctx(X509_STORE *ctx, const char *store, + OPENSSL_CTX *libctx, const char *propq); +int X509_STORE_load_locations_with_libctx(X509_STORE *ctx, + const char *file, const char *dir, + OPENSSL_CTX *libctx, const char *propq); +int X509_STORE_set_default_paths_with_libctx(X509_STORE *ctx, + OPENSSL_CTX *libctx, + const char *propq); + #define X509_STORE_CTX_get_ex_new_index(l, p, newf, dupf, freef) \ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, l, p, newf, dupf, freef) int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data); diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index 6a207f65d1..24f5a361d0 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -571,8 +571,6 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc); -int X509v3_cache_extensions(X509 *x, OPENSSL_CTX *libctx, const char *propq); - void X509V3_conf_free(CONF_VALUE *val); X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, |