Make OCSP cert id code tolerate a missing issuer certificate

or serial number.

diff --git a/CHANGES b/CHANGES
index 0e54372fe9bcda3cf3bdb1461a160add6a443c2f..c5cd00a9bc0c241fe7bec7697b1c18c9a0004ae6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,12 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 

+  *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
+     OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
+     ID to be generated from the issuer certificate alone which can then be
+     passed to OCSP_id_issuer_cmp().
+     [Steve Henson]
+

   *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
      ASN1 modules to export functions returning ASN1_ITEM pointers
      instead of the ASN1_ITEM structures themselves. This adds several
   *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
      ASN1 modules to export functions returning ASN1_ITEM pointers
      instead of the ASN1_ITEM structures themselves. This adds several

diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index 4cdc5f01116aa97c3402156ee121fd1a11562419..0ddf1b290639d2e957305acadcf0526872391f83 100644 (file)
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -80,8 +80,16 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
 #ifndef OPENSSL_NO_SHA1
        if(!dgst) dgst = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_SHA1
        if(!dgst) dgst = EVP_sha1();
 #endif

-       iname = X509_get_issuer_name(subject);
-       serial = X509_get_serialNumber(subject);
+       if (subject)
+               {
+               iname = X509_get_issuer_name(subject);
+               serial = X509_get_serialNumber(subject);
+               }
+       else
+               {
+               iname = X509_get_subject_name(issuer);
+               serial = NULL;
+               }

        ikey = X509_get0_pubkey_bitstr(issuer);
        return OCSP_cert_id_new(dgst, iname, ikey, serial);
 }
        ikey = X509_get0_pubkey_bitstr(issuer);
        return OCSP_cert_id_new(dgst, iname, ikey, serial);
 }


@@ -118,9 +126,12 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
        EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst);
 
        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
        EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst);
 
        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;

-       
-       if (cid->serialNumber != NULL) ASN1_INTEGER_free(cid->serialNumber);
-       if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+
+       if (serialNumber)
+               {
+               ASN1_INTEGER_free(cid->serialNumber);
+               if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+               }

        return cid;
 digerr:
        OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
        return cid;
 digerr:
        OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR);