From: Richard Levitte Date: Mon, 30 Aug 2021 11:22:18 +0000 (+0200) Subject: OSSL_STORE 'file:' scheme: Set input structure for certificates and CRLs X-Git-Tag: openssl-3.2.0-alpha1~3603 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=821b3956ec698927281a5b29c55cd87eb7b2793d;p=thirdparty%2Fopenssl.git OSSL_STORE 'file:' scheme: Set input structure for certificates and CRLs When the user expects to load a certificate or a CRL through the OSSL_STORE loading function, the 'file:' implementation sets the corresponding structure names in the internal decoder context. This is especially geared for PEM files, which often contain a mix of objects, and password prompting should be avoided for objects that need them, but aren't what the caller is looking for. Fixes #16224 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16466) --- diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index 6ccda2b33fc..34cb70fdf83 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -437,6 +437,31 @@ static int file_setup_decoders(struct file_ctx_st *ctx) goto err; } + /* + * Where applicable, set the outermost structure name. + * The goal is to avoid the STORE object types that are + * potentially password protected but aren't interesting + * for this load. + */ + switch (ctx->expected_type) { + case OSSL_STORE_INFO_CERT: + if (!OSSL_DECODER_CTX_set_input_structure(ctx->_.file.decoderctx, + "Certificate")) { + ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); + goto err; + } + break; + case OSSL_STORE_INFO_CRL: + if (!OSSL_DECODER_CTX_set_input_structure(ctx->_.file.decoderctx, + "CertificateList")) { + ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); + goto err; + } + break; + default: + break; + } + for (to_algo = ossl_any_to_obj_algorithm; to_algo->algorithm_names != NULL; to_algo++) {