Skip to content

fix various issues in x509_vfy.c and v3_purp.c related to #1418 and the respective documentation #10587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 9 commits into from
Closed

fix various issues in x509_vfy.c and v3_purp.c related to #1418 and the respective documentation #10587

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d9eb5df
Improve documentation, layout, and code comments regarding self-issue…
DDvO Dec 23, 2019
c619008
Refactor (without semantic changes) crypto/x509/{v3_purp.c,x509_vfy.c}
DDvO Dec 23, 2019
f8bdc69
Make x509 -force_pubkey test case with self-issued cert more realistic
DDvO Dec 23, 2019
4883dd3
Add four more verify test cases on the self-signed Ed25519 and self-i…
DDvO Dec 23, 2019
f8ef764
Optimization and safety precaution in find_issuer() of x509_vfy.c:
DDvO Dec 24, 2019
21db0c1
Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening chec…
DDvO Dec 24, 2019
026b04f
Move doc of X509{,_REQ,_CRL}_verify{,_ex}() from X509_sign.pod to new…
DDvO Jun 27, 2020
834d505
Add X509_self_signed(), extending and improving documenation and tests
DDvO Dec 28, 2019
ab88738
X509v3_cache_extensions(): Improve coding style and doc, fix case 'sh…
DDvO Jun 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/verify.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,7 +356,7 @@ static int cb(int ok, X509_STORE_CTX *ctx)
policies_print(ctx);
/* fall thru */
case X509_V_ERR_CERT_HAS_EXPIRED:
/* Continue even if the leaf is a self signed cert */
/* Continue even if the leaf is a self-signed cert */
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
/* Continue after extension errors too */
case X509_V_ERR_INVALID_CA:
Expand Down
10 changes: 5 additions & 5 deletions apps/x509.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ const OPTIONS x509_options[] = {
{"setalias", OPT_SETALIAS, 's', "Set certificate alias"},
{"days", OPT_DAYS, 'n',
"How long till expiry of a signed certificate - def 30 days"},
{"signkey", OPT_SIGNKEY, 's', "Self sign cert with arg"},
{"signkey", OPT_SIGNKEY, 's', "Self-sign cert with arg"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
{"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"},
{"certopt", OPT_CERTOPT, 's', "Various certificate text options"},
Expand Down Expand Up @@ -1030,7 +1030,7 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
goto end;

/*
* NOTE: this certificate can/should be self signed, unless it was a
* NOTE: this certificate can/should be self-signed, unless it was a
* certificate request in which case it is not.
*/
X509_STORE_CTX_set_cert(xsc, x);
Expand Down Expand Up @@ -1084,8 +1084,8 @@ static int callb(int ok, X509_STORE_CTX *ctx)
X509 *err_cert;

/*
* it is ok to use a self signed certificate This case will catch both
* the initial ok == 0 and the final ok == 1 calls to this function
* It is ok to use a self-signed certificate. This case will catch both
* the initial ok == 0 and the final ok == 1 calls to this function.
*/
err = X509_STORE_CTX_get_error(ctx);
if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
Expand All @@ -1098,7 +1098,7 @@ static int callb(int ok, X509_STORE_CTX *ctx)
*/
if (ok) {
BIO_printf(bio_err,
"error with certificate to be certified - should be self signed\n");
"error with certificate to be certified - should be self-signed\n");
return 0;
} else {
err_cert = X509_STORE_CTX_get_current_cert(ctx);
Expand Down
8 changes: 4 additions & 4 deletions crypto/cmp/cmp_util.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,7 +218,7 @@ int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert,
}

int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
int no_self_issued, int no_dups, int prepend)
int no_self_signed, int no_dups, int prepend)
/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
{
int i;
Expand All @@ -230,7 +230,7 @@ int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
for (i = 0; i < sk_X509_num(certs); i++) { /* certs may be NULL */
X509 *cert = sk_X509_value(certs, i);

if (!no_self_issued || X509_check_issued(cert, cert) != X509_V_OK) {
if (!no_self_signed || X509_self_signed(cert, 0) != 1) {
if (!ossl_cmp_sk_X509_add1_cert(sk, cert, no_dups, prepend))
return 0;
}
Expand All @@ -239,7 +239,7 @@ int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
}

int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
int only_self_issued)
int only_self_signed)
{
int i;

Expand All @@ -252,7 +252,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
for (i = 0; i < sk_X509_num(certs); i++) {
X509 *cert = sk_X509_value(certs, i);

if (!only_self_issued || X509_check_issued(cert, cert) == X509_V_OK)
if (!only_self_signed || X509_self_signed(cert, 0) == 1)
if (!X509_STORE_add_cert(store, cert)) /* ups cert ref counter */
return 0;
}
Expand Down
Loading