git.ipfire.org Git - thirdparty/openssl.git/commit

author	Richard Levitte <levitte@openssl.org>
	Fri, 24 Jan 2020 17:04:19 +0000 (18:04 +0100)
committer	Richard Levitte <levitte@openssl.org>
	Sun, 2 Feb 2020 11:04:00 +0000 (12:04 +0100)
commit	bbaddbc0682a4cd3271ee41f58550f7c26e8194e
tree	a8abaf3558363c2112bf62000db1cc904f38b6c7	tree \| snapshot
parent	0943d5dd6179e2e824ec9a38b7ea6caa17a84ebd	commit \| diff

X509: Refactor X509_verify() and X509_REQ_verify() for better streamlining

The solution to incorporate the SM2 identity processing was an off
the side hack that more or less duplicated the ASN1_item_verify()
code with just a few lines being different. We replace this with
a new function ASN1_item_verify_ctx(), which takes an EVP_MD_CTX
pointer instead of an EVP_PKEY pointer, just like its sibling
ASN1_item_sign_ctx().

This allows us to refactor X509_verify() and X509_REQ_verify() to
simply create a local EVP_MD_CTX and an attached EVP_PKEY_CTX,
which gets to hold the SM2 identity, if there is one, and then let
ASN1_item_verify_ctx() to its job.

This will also make it easier to adapt ASN1_item_verify_ctx() for
provider based keys.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10942)

crypto/asn1/a_verify.c		diff \| blob \| blame \| history
crypto/x509/x_all.c		diff \| blob \| blame \| history
include/openssl/x509.h		diff \| blob \| blame \| history
util/libcrypto.num		diff \| blob \| blame \| history