openbsd/src/lib/libcrypto/x509, branch libressl-v3.2.0

openbsd/src/lib/libcrypto/x509, branch libressl-v3.2.0 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.2.0 2020-05-31T17:23:39+00:00 When building a chain look for non-expired certificates first. 2020-05-31T17:23:39+00:00 jsing 2020-05-31T17:23:39+00:00 urn:sha1:b58339bdd340fd191f9c64b87b63329517526f62 Currently, when building a certificate chain we look up an issuer and if it is the only issuer certificate available we still use it even if it has expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted certificates are processed first and if one of these happens to be expired it will be used to build the chain, even if there is another non-expired option in the trusted store. Rework this code so that we first look for a non-expired untrusted certificate. If one does not exist then we take a look in the trusted store to see if we would be able to build the chain and only if there is not, do we then look for an expired untrusted certificate. This makes certificate validation possible for various sites that are serving expired AddTrust certificates. Issue reported by Christian Heimes via GitHub. ok beck@ tb@ add stdlib.h for reallocarray 2019-05-23T02:08:34+00:00 bcook 2019-05-23T02:08:34+00:00 urn:sha1:1389c4004bc3bfabbd0500291f1399f76dd901cc Fix a number of ASN1_INTEGER vs ASN1_STRING mixups coming from the 2019-03-13T20:34:00+00:00 tb 2019-03-13T20:34:00+00:00 urn:sha1:5ac8b80c66d7d9f6dab1bfdf23f0578eb05dffa0 mechanical M_ASN1 macro expansion. The ASN1_INTEGER_cmp function takes signs into account while ASN1_STRING_cmp doesn't. The mixups mostly involve serialNumbers, which, in principle, should be positive. However, it is unclear whether that is checked or enforced anywhere in the code, so these are probably bugs. Patch from Holger Mikolon ok jsing Typo in comment. 2019-03-06T05:06:58+00:00 tb 2019-03-06T05:06:58+00:00 urn:sha1:f70292937cfa185badac27a7244dfeb186e42744 From Holger Mikolon Add const to EVP_PKCS82PKEY(). 2018-08-24T20:26:03+00:00 tb 2018-08-24T20:26:03+00:00 urn:sha1:2e9cc12db341d66727099e500ca968482802fde1 tested in a bulk by sthen ok jsing After removing support for broken PKCS#8 formats (it was high time), 2018-08-24T20:17:33+00:00 tb 2018-08-24T20:17:33+00:00 urn:sha1:4cdbdc5207fa48804d8ed3a7929a97ae5f9f466d we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing Remove EVP_PKEY2PKCS8_broken() and PKCS8_set_broken() 2018-08-24T20:07:42+00:00 tb 2018-08-24T20:07:42+00:00 urn:sha1:e4cf8ac5385c963bee0eb8d0e642abe1bb82ac78 Provide PKCS8_pkey_add1_attr_by_NID() and PKCS8_pkey_get0_attrs(). Remove the whole broken code and simplify pkcs8_priv_key_info_st accordingly. Based on OpenSSL commit 54dbf42398e23349b59f258a3dd60387bbc5ba13 plus some const that was added later. tested in a bulk build by sthen ok jsing Provide X509_get0_serialNumber() 2018-08-24T19:59:32+00:00 tb 2018-08-24T19:59:32+00:00 urn:sha1:b2896b6759d33e259f8f56f743ec2d54f5002a50 tested in a bulk by sthen ok jsing Turn a number of #defines into proper functions with prototypes matching 2018-08-24T19:55:58+00:00 tb 2018-08-24T19:55:58+00:00 urn:sha1:d005d0528a66f69dbf8fb1a50b86c1bf40e135bc those that OpenSSL has had for ages. ok jsing Make X509_OBJECT_up_ref_count return an int. 2018-08-24T19:21:09+00:00 tb 2018-08-24T19:21:09+00:00 urn:sha1:74eedf34845483dbab4527b97ece0c1697ff88ff Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387 tested in a bulk by sthen ok jsing