From 244374d8dda906a87c40f39a8ed949cf07a1c8f3 Mon Sep 17 00:00:00 2001 From: beck <> Date: Thu, 4 Nov 2021 23:52:34 +0000 Subject: Cache sha512 hash and parsed not_before and not_after with X509 cert. Replace sha1 hash use with sha512 for certificate comparisons internal to the library. use the cached sha512 for the validator's verification cache. Reduces our recomputation of hashes, and heavy use of time1 time conversion functions noticed bu claudio@ in rpki client. ok jsing@ tb@ --- src/lib/libcrypto/ts/ts_rsp_sign.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src/lib/libcrypto/ts/ts_rsp_sign.c') diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index 828407aa4b..cbd7039abe 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: ts_rsp_sign.c,v 1.25 2021/11/04 23:52:34 beck Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -849,14 +849,18 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) { ESS_CERT_ID *cid = NULL; GENERAL_NAME *name = NULL; + unsigned char cert_hash[TS_HASH_LEN]; /* Recompute SHA1 hash of certificate if necessary (side effect). */ X509_check_purpose(cert, -1, 0); if (!(cid = ESS_CERT_ID_new())) goto err; - if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash, - sizeof(cert->sha1_hash))) + + if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL)) + goto err; + + if (!ASN1_OCTET_STRING_set(cid->hash, cert_hash, sizeof(cert_hash))) goto err; /* Setting the issuer/serial if requested. */ -- cgit v1.2.3-55-g6feb