Drop cached certificate signature validity flag

It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers.  Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index 5997a21c61f5da7747e9adc7da99f12409fbf884..c11d3b372e08fd693be24713d04a8dfef204b7cf 100644 (file)
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -192,7 +192,6 @@ struct x509_st {
     X509_CINF cert_info;
     X509_ALGOR sig_alg;
     ASN1_BIT_STRING signature;
-    int valid;
     int references;
     char *name;
     CRYPTO_EX_DATA ex_data;

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 48d936791f38a6fea4a9dc387f1c0fea230e0aca..ec9c3211cc80b7f2a43e3cef0fb2f7b3df67970b 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1618,9 +1618,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
          * explicitly asked for. It doesn't add any security and just wastes
          * time.
          */
-        if (!xs->valid
-            && (xs != xi
-                || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+        if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
             if ((pkey = X509_get0_pubkey(xi)) == NULL) {
                 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
                 ctx->current_cert = xi;
@@ -1636,8 +1634,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
             }
         }
 
-        xs->valid = 1;
-
  check_cert:
         ok = x509_check_cert_time(ctx, xs, 0);
         if (!ok)

diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 47333217e7ee7def0a3a10612e25c1db174c5356..53a5eb77f976d136706f13eedcb45982a959f4f1 100644 (file)
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -90,7 +90,6 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
     switch (operation) {
 
     case ASN1_OP_NEW_POST:
-        ret->valid = 0;
         ret->name = NULL;
         ret->ex_flags = 0;
         ret->ex_pathlen = -1;