diff options
| author | kn <> | 2022-07-16 16:42:58 +0000 |
|---|---|---|
| committer | kn <> | 2022-07-16 16:42:58 +0000 |
| commit | 217bed43f8d6326e24ab77f10b3fad954be5a81f (patch) | |
| tree | 97a79518895ea39e503c05c09ea6bbba78aed03c | |
| parent | 10cb0b8ddd0c736d4b9e22896adcc429d4800820 (diff) | |
| download | openbsd-217bed43f8d6326e24ab77f10b3fad954be5a81f.tar.gz openbsd-217bed43f8d6326e24ab77f10b3fad954be5a81f.tar.bz2 openbsd-217bed43f8d6326e24ab77f10b3fad954be5a81f.zip | |
Avoid direct X509 structure access
Cherry-picked from OpenSSL commit a8d8e06b0ac06c421fd11cc1772126dcb98f79ae.
This reduces upcoming TS changes.
OK jsing tb
| -rw-r--r-- | src/lib/libcrypto/ts/ts_rsp_sign.c | 8 | ||||
| -rw-r--r-- | src/lib/libcrypto/ts/ts_rsp_verify.c | 16 |
2 files changed, 12 insertions, 12 deletions
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index 470cbfb7ea..55738875db 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ts_rsp_sign.c,v 1.26 2021/12/12 21:30:14 tb Exp $ */ | 1 | /* $OpenBSD: ts_rsp_sign.c,v 1.27 2022/07/16 16:42:58 kn Exp $ */ |
| 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL | 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL |
| 3 | * project 2002. | 3 | * project 2002. |
| 4 | */ | 4 | */ |
| @@ -654,7 +654,7 @@ TS_RESP_create_tst_info(TS_RESP_CTX *ctx, ASN1_OBJECT *policy) | |||
| 654 | goto end; | 654 | goto end; |
| 655 | tsa_name->type = GEN_DIRNAME; | 655 | tsa_name->type = GEN_DIRNAME; |
| 656 | tsa_name->d.dirn = | 656 | tsa_name->d.dirn = |
| 657 | X509_NAME_dup(ctx->signer_cert->cert_info->subject); | 657 | X509_NAME_dup(X509_get_subject_name(ctx->signer_cert)); |
| 658 | if (!tsa_name->d.dirn) | 658 | if (!tsa_name->d.dirn) |
| 659 | goto end; | 659 | goto end; |
| 660 | if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) | 660 | if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) |
| @@ -874,7 +874,7 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) | |||
| 874 | if (!(name = GENERAL_NAME_new())) | 874 | if (!(name = GENERAL_NAME_new())) |
| 875 | goto err; | 875 | goto err; |
| 876 | name->type = GEN_DIRNAME; | 876 | name->type = GEN_DIRNAME; |
| 877 | if (!(name->d.dirn = X509_NAME_dup(cert->cert_info->issuer))) | 877 | if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) |
| 878 | goto err; | 878 | goto err; |
| 879 | if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) | 879 | if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) |
| 880 | goto err; | 880 | goto err; |
| @@ -882,7 +882,7 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) | |||
| 882 | /* Setting the serial number. */ | 882 | /* Setting the serial number. */ |
| 883 | ASN1_INTEGER_free(cid->issuer_serial->serial); | 883 | ASN1_INTEGER_free(cid->issuer_serial->serial); |
| 884 | if (!(cid->issuer_serial->serial = | 884 | if (!(cid->issuer_serial->serial = |
| 885 | ASN1_INTEGER_dup(cert->cert_info->serialNumber))) | 885 | ASN1_INTEGER_dup(X509_get_serialNumber(cert)))) |
| 886 | goto err; | 886 | goto err; |
| 887 | } | 887 | } |
| 888 | 888 | ||
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c index 8b15760be9..24a7055177 100644 --- a/src/lib/libcrypto/ts/ts_rsp_verify.c +++ b/src/lib/libcrypto/ts/ts_rsp_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ts_rsp_verify.c,v 1.24 2021/12/12 21:30:14 tb Exp $ */ | 1 | /* $OpenBSD: ts_rsp_verify.c,v 1.25 2022/07/16 16:42:58 kn Exp $ */ |
| 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL | 2 | /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL |
| 3 | * project 2002. | 3 | * project 2002. |
| 4 | */ | 4 | */ |
| @@ -74,7 +74,7 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, | |||
| 74 | static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); | 74 | static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); |
| 75 | static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si); | 75 | static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si); |
| 76 | static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); | 76 | static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); |
| 77 | static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo); | 77 | static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert); |
| 78 | static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, | 78 | static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, |
| 79 | PKCS7 *token, TS_TST_INFO *tst_info); | 79 | PKCS7 *token, TS_TST_INFO *tst_info); |
| 80 | static int TS_check_status_info(TS_RESP *response); | 80 | static int TS_check_status_info(TS_RESP *response); |
| @@ -346,7 +346,7 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) | |||
| 346 | cert_hash, TS_HASH_LEN)) { | 346 | cert_hash, TS_HASH_LEN)) { |
| 347 | /* Check the issuer/serial as well if specified. */ | 347 | /* Check the issuer/serial as well if specified. */ |
| 348 | ESS_ISSUER_SERIAL *is = cid->issuer_serial; | 348 | ESS_ISSUER_SERIAL *is = cid->issuer_serial; |
| 349 | if (!is || !TS_issuer_serial_cmp(is, cert->cert_info)) | 349 | if (is == NULL || !TS_issuer_serial_cmp(is, cert)) |
| 350 | return i; | 350 | return i; |
| 351 | } | 351 | } |
| 352 | } | 352 | } |
| @@ -355,21 +355,21 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) | |||
| 355 | } | 355 | } |
| 356 | 356 | ||
| 357 | static int | 357 | static int |
| 358 | TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) | 358 | TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert) |
| 359 | { | 359 | { |
| 360 | GENERAL_NAME *issuer; | 360 | GENERAL_NAME *issuer; |
| 361 | 361 | ||
| 362 | if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) | 362 | if (is == NULL || cert == NULL || sk_GENERAL_NAME_num(is->issuer) != 1) |
| 363 | return -1; | 363 | return -1; |
| 364 | 364 | ||
| 365 | /* Check the issuer first. It must be a directory name. */ | 365 | /* Check the issuer first. It must be a directory name. */ |
| 366 | issuer = sk_GENERAL_NAME_value(is->issuer, 0); | 366 | issuer = sk_GENERAL_NAME_value(is->issuer, 0); |
| 367 | if (issuer->type != GEN_DIRNAME || | 367 | if (issuer->type != GEN_DIRNAME || |
| 368 | X509_NAME_cmp(issuer->d.dirn, cinfo->issuer)) | 368 | X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert))) |
| 369 | return -1; | 369 | return -1; |
| 370 | 370 | ||
| 371 | /* Check the serial number, too. */ | 371 | /* Check the serial number, too. */ |
| 372 | if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber)) | 372 | if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert))) |
| 373 | return -1; | 373 | return -1; |
| 374 | 374 | ||
| 375 | return 0; | 375 | return 0; |
| @@ -726,7 +726,7 @@ TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) | |||
| 726 | 726 | ||
| 727 | /* Check the subject name first. */ | 727 | /* Check the subject name first. */ |
| 728 | if (tsa_name->type == GEN_DIRNAME && | 728 | if (tsa_name->type == GEN_DIRNAME && |
| 729 | X509_NAME_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) | 729 | X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0) |
| 730 | return 1; | 730 | return 1; |
| 731 | 731 | ||
| 732 | /* Check all the alternative names. */ | 732 | /* Check all the alternative names. */ |