Cache sha512 hash and parsed not_before and not_after with X509 cert.

Replace sha1 hash use with sha512 for certificate comparisons internal to the library. use the cached sha512 for the validator's verification cache. Reduces our recomputation of hashes, and heavy use of time1 time conversion functions noticed bu claudio@ in rpki client. ok jsing@ tb@
author: beck <> 2021-11-04 23:52:34 +0000
committer: beck <> 2021-11-04 23:52:34 +0000
commit: 244374d8dda906a87c40f39a8ed949cf07a1c8f3 (patch)
tree: 3ca9bd91a3930e5f3e28873aa362dffdb8cf6227 /src/lib/libcrypto/ts/ts_rsp_sign.c
parent: b866948734d2d995d78efdc04fb93574782722fa (diff)
download: openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.gz
openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.bz2
openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.zip
1 files changed, 7 insertions, 3 deletions
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 828407aa4b..cbd7039abe 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.25 2021/11/04 23:52:34 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -849,14 +849,18 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
 {
        ESS_CERT_ID *cid = NULL;
        GENERAL_NAME *name = NULL;
+        unsigned char cert_hash[TS_HASH_LEN];
        /* Recompute SHA1 hash of certificate if necessary (side effect). */
        X509_check_purpose(cert, -1, 0);
        if (!(cid = ESS_CERT_ID_new()))
                goto err;
-        if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
-            sizeof(cert->sha1_hash)))
+        if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
+                goto err;
+        if (!ASN1_OCTET_STRING_set(cid->hash, cert_hash, sizeof(cert_hash)))
                goto err;
        /* Setting the issuer/serial if requested. */
author	beck <>	2021-11-04 23:52:34 +0000
committer	beck <>	2021-11-04 23:52:34 +0000
commit	244374d8dda906a87c40f39a8ed949cf07a1c8f3 (patch)
tree	3ca9bd91a3930e5f3e28873aa362dffdb8cf6227 /src/lib/libcrypto/ts/ts_rsp_sign.c
parent	b866948734d2d995d78efdc04fb93574782722fa (diff)
download	openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.gz openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.bz2 openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.zip

diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index 828407aa4b..cbd7039abe 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */	1	/* $OpenBSD: ts_rsp_sign.c,v 1.25 2021/11/04 23:52:34 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -849,14 +849,18 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
849	{	849	{
850	ESS_CERT_ID *cid = NULL;	850	ESS_CERT_ID *cid = NULL;
851	GENERAL_NAME *name = NULL;	851	GENERAL_NAME *name = NULL;
		852	unsigned char cert_hash[TS_HASH_LEN];
852		853
853	/* Recompute SHA1 hash of certificate if necessary (side effect). */	854	/* Recompute SHA1 hash of certificate if necessary (side effect). */
854	X509_check_purpose(cert, -1, 0);	855	X509_check_purpose(cert, -1, 0);
855		856
856	if (!(cid = ESS_CERT_ID_new()))	857	if (!(cid = ESS_CERT_ID_new()))
857	goto err;	858	goto err;
858	if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,	859
859	sizeof(cert->sha1_hash)))	860	if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
		861	goto err;
		862
		863	if (!ASN1_OCTET_STRING_set(cid->hash, cert_hash, sizeof(cert_hash)))
860	goto err;	864	goto err;
861		865
862	/* Setting the issuer/serial if requested. */	866	/* Setting the issuer/serial if requested. */