Ensure libctx/propq is propagated when handling X509_REQ

When we create via d2i or dup an X509_REQ we should ensure that the libctx
is properly propagated. We also ensure we create X509_REQ objects with the
proper libctx assigned in the CMP tests.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)

diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 92b659d009213021e86818b68635098f3be83180..88c75c3d36566c563d7a19cefd19730a9a54496b 100644 (file)
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -239,7 +239,15 @@ int i2d_X509_REQ_fp(FILE *fp, const X509_REQ *req)
 
 X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
 {
-    return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
+    OSSL_LIB_CTX *libctx = NULL;
+    const char *propq = NULL;
+
+    if (req != NULL && *req != NULL) {
+        libctx = (*req)->libctx;
+        propq = (*req)->propq;
+    }
+
+    return ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(X509_REQ), bp, req, libctx, propq);
 }
 
 int i2d_X509_REQ_bio(BIO *bp, const X509_REQ *req)

diff --git a/crypto/x509/x_req.c b/crypto/x509/x_req.c
index 1b4e1587dd12ba3f16800cfe09631563cfb068e7..293d4be7133552375c96d38ddba5f66d8850e494 100644 (file)
--- a/crypto/x509/x_req.c
+++ b/crypto/x509/x_req.c
@@ -68,6 +68,37 @@ static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
             if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq))
                 return 0;
+            if (old->req_info.pubkey != NULL) {
+                EVP_PKEY *pkey = X509_PUBKEY_get0(old->req_info.pubkey);
+
+                if (pkey != NULL) {
+                    pkey = EVP_PKEY_dup(pkey);
+                    if (pkey == NULL) {
+                        ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                    }
+                    if (!X509_PUBKEY_set(&ret->req_info.pubkey, pkey)) {
+                        EVP_PKEY_free(pkey);
+                        ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
+                        return 0;
+                    }
+                    EVP_PKEY_free(pkey);
+                }
+            }
+        }
+        break;
+    case ASN1_OP_GET0_LIBCTX:
+        {
+            OSSL_LIB_CTX **libctx = exarg;
+
+            *libctx = ret->libctx;
+        }
+        break;
+    case ASN1_OP_GET0_PROPQ:
+        {
+            const char **propq = exarg;
+
+            *propq = ret->propq;
         }
         break;
     }

diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index 863a765886777672aa124b8b7a29f2ebae82387d..f470f5e4456501d129b54b48aee3282add961383 100644 (file)
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -223,7 +223,7 @@ static int test_exec_P10CR_ses(void)
     SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
     fixture->req_type = OSSL_CMP_P10CR;
     fixture->expected = 1;
-    if (!TEST_ptr(req = load_csr_der(pkcs10_f))
+    if (!TEST_ptr(req = load_csr_der(pkcs10_f, libctx))
             || !TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, req))) {
         tear_down(fixture);
         fixture = NULL;

diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c
index a9a858c07a5451fd4547c25bad8f83d45915d33d..4f2ca1b40b253688795c3fea7a34f40b16fa486e 100644 (file)
--- a/test/cmp_msg_test.c
+++ b/test/cmp_msg_test.c
@@ -226,7 +226,7 @@ static int test_cmp_create_p10cr(void)
     fixture->bodytype = OSSL_CMP_PKIBODY_P10CR;
     fixture->err_code = CMP_R_ERROR_CREATING_CERTREQ;
     fixture->expected = 1;
-    if (!TEST_ptr(p10cr = load_csr_der(pkcs10_f))
+    if (!TEST_ptr(p10cr = load_csr_der(pkcs10_f, libctx))
             || !TEST_true(set1_newPkey(ctx, newkey))
             || !TEST_true(OSSL_CMP_CTX_set1_p10CSR(ctx, p10cr))) {
         tear_down(fixture);
@@ -504,7 +504,7 @@ static int test_cmp_pkimessage_create(int bodytype)
     switch (fixture->bodytype = bodytype) {
     case OSSL_CMP_PKIBODY_P10CR:
         fixture->expected = 1;
-        p10cr = load_csr_der(pkcs10_f);
+        p10cr = load_csr_der(pkcs10_f, libctx);
         if (!TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, p10cr))) {
             tear_down(fixture);
             fixture = NULL;

diff --git a/test/testutil.h b/test/testutil.h
index 710f51c14754ce762a9972ce22507433afa644dc..c28df702cc59291827967f263265e7074772dd67 100644 (file)
--- a/test/testutil.h
+++ b/test/testutil.h
@@ -592,6 +592,6 @@ EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx);
 X509 *load_cert_pem(const char *file, OSSL_LIB_CTX *libctx);
 X509 *load_cert_der(const unsigned char *bytes, int len);
 STACK_OF(X509) *load_certs_pem(const char *file);
-X509_REQ *load_csr_der(const char *file);
+X509_REQ *load_csr_der(const char *file, OSSL_LIB_CTX *libctx);
 
 #endif                          /* OSSL_TESTUTIL_H */

diff --git a/test/testutil/load.c b/test/testutil/load.c
index 444fb8a78dfd1092bb902adcb1446d71d5cdc3f4..be30d7e05396495c9c557890d1728ba5eb8fc604 100644 (file)
--- a/test/testutil/load.c
+++ b/test/testutil/load.c
@@ -81,14 +81,17 @@ EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx)
     return key;
 }
 
-X509_REQ *load_csr_der(const char *file)
+X509_REQ *load_csr_der(const char *file, OSSL_LIB_CTX *libctx)
 {
     X509_REQ *csr = NULL;
     BIO *bio = NULL;
 
     if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb")))
         return NULL;
-    (void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL));
+
+    csr = X509_REQ_new_ex(libctx, NULL);
+    if (TEST_ptr(csr))
+        (void)TEST_ptr(d2i_X509_REQ_bio(bio, &csr));
     BIO_free(bio);
     return csr;
 }