Introduce an internal version of X509_check_issued()
authorMatt Caswell <matt@openssl.org>
Mon, 6 Apr 2020 11:14:30 +0000 (12:14 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 16 Apr 2020 13:19:52 +0000 (14:19 +0100)
The internal version is library context aware.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11507)

crypto/x509/v3_purp.c
crypto/x509/x509_vfy.c
include/crypto/x509.h

index bee8210..687d065 100644 (file)
@@ -811,14 +811,15 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
  * codes for X509_verify_cert()
  */
 
-int X509_check_issued(X509 *issuer, X509 *subject)
+int x509_check_issued_int(X509 *issuer, X509 *subject, OPENSSL_CTX *libctx,
+                          const char *propq)
 {
     if (X509_NAME_cmp(X509_get_subject_name(issuer),
                       X509_get_issuer_name(subject)))
         return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
 
-    if (!X509v3_cache_extensions(issuer, NULL, NULL)
-            || !X509v3_cache_extensions(subject, NULL, NULL))
+    if (!X509v3_cache_extensions(issuer, libctx, propq)
+            || !X509v3_cache_extensions(subject, libctx, propq))
         return X509_V_ERR_UNSPECIFIED;
 
     if (subject->akid) {
@@ -853,6 +854,11 @@ int X509_check_issued(X509 *issuer, X509 *subject)
     return X509_V_OK;
 }
 
+int X509_check_issued(X509 *issuer, X509 *subject)
+{
+    return x509_check_issued_int(issuer, subject, NULL, NULL);
+}
+
 int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
 {
 
index c3eb261..9947944 100644 (file)
@@ -334,7 +334,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
         return ss;
     }
 
-    ret = X509_check_issued(issuer, x);
+    ret = x509_check_issued_int(issuer, x, ctx->libctx, ctx->propq);
     if (ret == X509_V_OK) {
         int i;
         X509 *ch;
index 560f3ab..1d2ec3e 100644 (file)
@@ -297,3 +297,7 @@ int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm);
 int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags);
 
 void x509_init_sig_info(X509 *x);
+
+
+int x509_check_issued_int(X509 *issuer, X509 *subject, OPENSSL_CTX *libctx,
+                          const char *propq);