if (verbose)
BIO_printf(bio_err, "making CRL\n");
- if ((crl = X509_CRL_new()) == NULL)
+ if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
goto end;
if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
goto end;
case OPT_RSIGOPT:
if (rsign_sigopts == NULL)
rsign_sigopts = sk_OPENSSL_STRING_new_null();
- if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
+ if (rsign_sigopts == NULL
+ || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
goto end;
break;
case OPT_HEADER:
if (key == NULL)
goto end;
- if (!OCSP_request_sign
- (req, signer, key, NULL, sign_other, sign_flags)) {
+ if (!OCSP_request_sign(req, signer, key, NULL,
+ sign_other, sign_flags)) {
BIO_printf(bio_err, "Error signing OCSP request\n");
goto end;
}
if (rdb != NULL) {
make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey,
- rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig,
- resp_certid_md);
+ rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
+ badsig, resp_certid_md);
if (cbio != NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
}
if (req == NULL) {
- req = X509_REQ_new();
+ req = X509_REQ_new_ex(app_get0_libctx(), app_get0_propq());
if (req == NULL) {
goto end;
}
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return 0;
}
+ /* We can use the non _ex variant here since the pkey is already setup */
if (!EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))
goto err;
OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
}
- if (!OCSP_REQUEST_sign(req, key, dgst))
+ if (!OCSP_REQUEST_sign(req, key, dgst, signer->libctx, signer->propq))
goto err;
}
STACK_OF(ACCESS_DESCRIPTION) *locator;
};
-# define OCSP_REQUEST_sign(o,pkey,md) \
- ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
- &(o)->optionalSignature->signatureAlgorithm,NULL,\
- (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
-
-# define OCSP_BASICRESP_sign(o,pkey,md,d) \
- ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
- NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
-
-# define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
- ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
- NULL,(o)->signature,&(o)->tbsResponseData,ctx)
-
-# define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
- &(a)->optionalSignature->signatureAlgorithm,\
- (a)->optionalSignature->signature,&(a)->tbsRequest,r)
-
-# define OCSP_BASICRESP_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
- &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)
+# define OCSP_REQUEST_sign(o, pkey, md, libctx, propq)\
+ ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
+ &(o)->optionalSignature->signatureAlgorithm, NULL,\
+ (o)->optionalSignature->signature, &(o)->tbsRequest,\
+ NULL, pkey, md, libctx, propq)
+
+# define OCSP_BASICRESP_sign(o, pkey, md, d, libctx, propq)\
+ ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+ &(o)->signatureAlgorithm, NULL,\
+ (o)->signature, &(o)->tbsResponseData,\
+ NULL, pkey, md, libctx, propq)
+
+# define OCSP_BASICRESP_sign_ctx(o, ctx, d)\
+ ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+ &(o)->signatureAlgorithm, NULL,\
+ (o)->signature, &(o)->tbsResponseData, ctx)
+
+# define OCSP_REQUEST_verify(a, r, libctx, propq)\
+ ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
+ &(a)->optionalSignature->signatureAlgorithm,\
+ (a)->optionalSignature->signature, &(a)->tbsRequest,\
+ NULL, r, libctx, propq)
+
+# define OCSP_BASICRESP_verify(a, r, libctx, propq)\
+ ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+ &(a)->signatureAlgorithm, (a)->signature,\
+ &(a)->tbsResponseData, NULL, r, libctx, propq)
if (ctx == NULL)
return 0;
- if (!EVP_DigestSignInit(ctx, &pkctx, dgst, NULL, key)) {
+ if (!EVP_DigestSignInit_ex(ctx, &pkctx, EVP_MD_name(dgst),
+ signer->libctx, signer->propq, key, NULL)) {
EVP_MD_CTX_free(ctx);
return 0;
}
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
{
- return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL);
+ return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
}
int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
{
- return OCSP_RESPID_match_ex(respid, cert, NULL, NULL);
+ return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
}
return -1;
}
if (req != NULL)
- ret = OCSP_REQUEST_verify(req, skey);
+ ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq);
else
- ret = OCSP_BASICRESP_verify(bs, skey);
+ ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq);
if (ret <= 0)
ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE);
}
return NULL;
}
/* Create new CRL */
- crl = X509_CRL_new();
+ crl = X509_CRL_new_ex(base->libctx, base->propq);
if (crl == NULL || !X509_CRL_set_version(crl, 1))
goto memerr;
/* Set issuer name */
int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->cert_info.enc.modified = 1;
- return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
- &x->sig_alg, &x->signature, &x->cert_info, pkey, md);
+ return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+ &x->sig_alg, &x->signature, &x->cert_info, NULL,
+ pkey, md, x->libctx, x->propq);
}
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
- x->signature, &x->req_info, pkey, md);
+ return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+ x->signature, &x->req_info, NULL,
+ pkey, md, x->libctx, x->propq);
}
int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
{
x->crl.enc.modified = 1;
- return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
- &x->sig_alg, &x->signature, &x->crl, pkey, md);
+ return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+ &x->sig_alg, &x->signature, &x->crl, NULL,
+ pkey, md, x->libctx, x->propq);
}
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
{
- return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
- x->signature, x->spkac, pkey, md);
+ return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
+ x->signature, x->spkac, NULL, pkey, md, NULL, NULL);
}
#ifndef OPENSSL_NO_STDIO
(ASN1_STRING *)&(*b)->serialNumber));
}
+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
+{
+ X509_CRL *crl = NULL;
+
+ crl = (X509_CRL *)ASN1_item_new((X509_CRL_it()));
+ if (!ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
+ X509_CRL_free(crl);
+ crl = NULL;
+ }
+ return crl;
+}
+
int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
{
X509_CRL_INFO *inf;
static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
{
- return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
- &crl->sig_alg, &crl->signature, &crl->crl, r));
+ return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+ &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+ r, crl->libctx, crl->propq));
}
static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
X509_CRL_INFO_new,
X509_CRL_dup,
X509_CRL_free,
+X509_CRL_new_ex,
X509_CRL_new,
X509_EXTENSION_dup,
X509_EXTENSION_free,
B<I<TYPE>_new_ex>() is similiar to B<I<TYPE>_new>() but also passes the
library context I<libctx> and the property query I<propq> to use when retrieving
-algorithms from providers.
+algorithms from providers. This created object can then be used when loading
+binary data using B<d2i_I<TYPE>>().
B<I<TYPE>_dup>() copies an existing object, leaving it untouched.
=head1 HISTORY
-The functions PKCS7_new_ex() and CMS_ContentInfo_new_ex() were
-added in OpenSSL 3.0.
+The functions X509_REQ_new_ex(), X509_CRL_new_ex(), PKCS7_new_ex() and
+CMS_ContentInfo_new_ex() were added in OpenSSL 3.0.
The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were
deprecated in 3.0.
library context of I<libctx>, property query of <propq> and a reference
count of B<1>. Many X509 functions such as X509_check_purpose(), and
X509_verify() use this library context to select which providers supply the
-fetched algorithms (SHA1 is used internally).
+fetched algorithms (SHA1 is used internally). This created X509 object can then
+be used when loading binary data using d2i_X509().
X509_new() is similar to X509_new_ex() but sets the library context
and property query to NULL. This results in the default (NULL) library context
DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
DECLARE_ASN1_FUNCTIONS(X509_CRL)
+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
int X509_CRL_get0_by_serial(X509_CRL *crl,
EVP_KEM_description ? 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_description ? 3_0_0 EXIST::FUNCTION:
EVP_KDF_description ? 3_0_0 EXIST::FUNCTION:
+X509_CRL_new_ex ? 3_0_0 EXIST::FUNCTION: