openbsd/src/lib/libcrypto/asn1, branch OPENBSD_7_8_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_8_BASE 2025-08-22T14:07:34+00:00 Hide primitive BOOLEAN items 2025-08-22T14:07:34+00:00 tb 2025-08-22T14:07:34+00:00 urn:sha1:026a2ea5b1aabdfbf27997ffd198cd73b3b5ee08 Rides the libcrypto bump from a couple days ago x_crl.c: wont -> won't + KNF for a comment 2025-08-19T21:54:11+00:00 tb 2025-08-19T21:54:11+00:00 urn:sha1:9dcf678726cfbece5f63515f3e2138ca32e6a25e Tweak comment in asn1_item_free: KNF, missing comma, wont -> won't. 2025-08-14T19:02:17+00:00 tb 2025-08-14T19:02:17+00:00 urn:sha1:aebc2e1e9633afc7adcdd780a2d54f9ef9c1b400 Merge the two functions from x_pkey.c into pem_info.c 2025-07-12T20:22:40+00:00 tb 2025-07-12T20:22:40+00:00 urn:sha1:69147ea8445a511462c02e8ac88d4f75fec3fa1b It looks like those can be unexported. Merge the two functions from x_info.c into pem_info.c 2025-07-12T19:57:13+00:00 tb 2025-07-12T19:57:13+00:00 urn:sha1:d8116bd100cd9a4c1e502db89ddc6042bdb71643 X509_INFO_new() isn't used directly outside of this file, so this is a bit tidier. Add missing check to X509_CRL_verify() 2025-07-10T18:48:31+00:00 tb 2025-07-10T18:48:31+00:00 urn:sha1:03d9063618b2994c381512cccdf03470f7b08be4 When fixing CVE-2014-8275 in commit 684400ce, Henson added a check that the AlgorithmIdentifier in the certificate's signature matches the one in the tbsCertificate. A corresponding check for CRLs was missed. BoringSSL added such a check in 2022, so this should be fine for us to do as well even though OpenSSL still doesn't have it. The only caller will set an error on the stack, so we don't do it here. There's no obvious check that X509_REQ_verify() could do. ok beck kenjiro X509_print: emit UIDs unless X509_FLAG_NO_IDS is set 2025-07-01T06:46:39+00:00 tb 2025-07-01T06:46:39+00:00 urn:sha1:9503d6ced5738f84fb45b1da3bdb9db4f7db4fc3 issuerUID and subjectUID are a curiosity introduced in X.509v2 before extensions were a thing. Their purpose is to help distinguishing certs with identical subject. They are rarely used and are MUST NOT use in the CA/BF baseline requirements. They do occasionally show up in test certificates and it is confusing that openssl x509 silently ignores them. Their encoding also makes them relatively hard to spot in the output of asn1 parsing tools. The output is identical to OpenSSL < 3 and BoringSSL, but due to some weird tweaks added leading up to OpenSSL 3 their output is no longer compatible with that. It is not entirely correct anyway. Since it is a (not further specified) bit string, you shouldn't be ignoring its unused bits... The X509_FLAG_NO_IDS flag has no effect for CSRs. discussed with beck ok job kenjiro (on an earlier version) X509_print and friends: switch from BIO_write() to BIO_printf() 2025-06-25T18:28:47+00:00 tb 2025-06-25T18:28:47+00:00 urn:sha1:a4426ba3128325167349959c43db7e5f7c233ebf Manually counting letters in const strings is ... suboptimal. ok beck jsing Fix smatch warning in asn1_primitive_print() 2025-06-07T09:28:00+00:00 tb 2025-06-07T09:28:00+00:00 urn:sha1:c7d111899342662acc283c79460c528fac240a59 Remove unnecessary and inconsistent NULL check for 'it', which the only caller, asn1_item_print_ctx(), already dereferenced. found by jsg ok kenjiro correct indentation, no functional change 2025-06-02T12:18:22+00:00 jsg 2025-06-02T12:18:22+00:00 urn:sha1:0a9ae15841c7f994ec48b5317b89dbfe586ddcc7 found with smatch, ok tb@