]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
when importing a certificate, keep the DER data
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 29 Aug 2014 13:17:42 +0000 (15:17 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 29 Aug 2014 13:20:48 +0000 (15:20 +0200)
lib/x509/common.c
lib/x509/common.h
lib/x509/crq.c
lib/x509/verify.c
lib/x509/x509.c
lib/x509/x509_int.h

index f31f0cfdd70c8302090b7765e0bfe82d3e017aaf..cbe96ff28beda584d82bdb7722d1c619a06a37b3 100644 (file)
@@ -1513,16 +1513,22 @@ _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name,
  * returns them into signed_data.
  */
 int
-_gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
+_gnutls_x509_get_signed_data(ASN1_TYPE src,  const gnutls_datum *_der,
+                            const char *src_name,
                             gnutls_datum_t * signed_data)
 {
-       gnutls_datum_t der;
        int start, end, result;
+       gnutls_datum_t der;
 
-       result = _gnutls_x509_der_encode(src, "", &der, 0);
-       if (result < 0) {
-               gnutls_assert();
-               return result;
+       if (_der == NULL) {
+               result = _gnutls_x509_der_encode(src, "", &der, 0);
+               if (result < 0) {
+                       gnutls_assert();
+                       return result;
+               }
+       } else {
+               der.data = _der->data;
+               der.size = _der->size;
        }
 
        /* Get the signed data
@@ -1547,7 +1553,8 @@ _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
        result = 0;
 
       cleanup:
-       _gnutls_free_datum(&der);
+       if (_der == NULL)
+               _gnutls_free_datum(&der);
 
        return result;
 }
index 022010df0c80c53a4352449e058ee450ecce8671..402d242beabe635893578472303a3955a429e0e9 100644 (file)
@@ -154,7 +154,8 @@ int _gnutls_x509_encode_PKI_params(gnutls_datum_t * der,
 int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name,
                           ASN1_TYPE src, const char *src_name);
 
-int _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
+int _gnutls_x509_get_signed_data(ASN1_TYPE src, const gnutls_datum_t *der,
+                                const char *src_name,
                                 gnutls_datum_t * signed_data);
 int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name,
                               gnutls_datum_t * signature);
index 7dac499d5f56dc38b3fd4345045a8c6344a68c48..ec01ef71b7ef8f10b9bda2605801c4a1c92b4577 100644 (file)
@@ -2532,7 +2532,7 @@ int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags)
        gnutls_pk_params_init(&params);
 
        ret =
-           _gnutls_x509_get_signed_data(crq->crq,
+           _gnutls_x509_get_signed_data(crq->crq, NULL,
                                         "certificationRequestInfo",
                                         &data);
        if (ret < 0) {
index 5cbba8a497335da0ad1167bcd9dd2beb8df257ac..7c36b0a378cbc17d225a3154cc0989bbde9557d1 100644 (file)
@@ -44,8 +44,6 @@ bool
 _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
                           gnutls_x509_crt_t cert2)
 {
-       gnutls_datum_t cert1bin = { NULL, 0 }, cert2bin = {
-       NULL, 0};
        int ret;
        bool result;
 
@@ -53,29 +51,12 @@ _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
        if (ret == 0)
                return 0;
 
-       ret = _gnutls_x509_der_encode(cert1->cert, "", &cert1bin, 0);
-       if (ret < 0) {
-               gnutls_assert();
-               result = 0;
-               goto cleanup;
-       }
-
-       ret = _gnutls_x509_der_encode(cert2->cert, "", &cert2bin, 0);
-       if (ret < 0) {
-               gnutls_assert();
-               result = 0;
-               goto cleanup;
-       }
-
-       if ((cert1bin.size == cert2bin.size) &&
-           (memcmp(cert1bin.data, cert2bin.data, cert1bin.size) == 0))
+       if ((cert1->der.size == cert2->der.size) &&
+           (memcmp(cert1->der.data, cert2->der.data, cert1->der.size) == 0))
                result = 1;
        else
                result = 0;
 
-      cleanup:
-       _gnutls_free_datum(&cert1bin);
-       _gnutls_free_datum(&cert2bin);
        return result;
 }
 
@@ -83,25 +64,14 @@ bool
 _gnutls_check_if_same_cert2(gnutls_x509_crt_t cert1,
                            gnutls_datum_t * cert2bin)
 {
-       gnutls_datum_t cert1bin = { NULL, 0 };
-       int ret;
        bool result;
 
-       ret = _gnutls_x509_der_encode(cert1->cert, "", &cert1bin, 0);
-       if (ret < 0) {
-               result = 0;
-               gnutls_assert();
-               goto cleanup;
-       }
-
-       if ((cert1bin.size == cert2bin->size) &&
-           (memcmp(cert1bin.data, cert2bin->data, cert1bin.size) == 0))
+       if ((cert1->der.size == cert2bin->size) &&
+           (memcmp(cert1->der.data, cert2bin->data, cert1->der.size) == 0))
                result = 1;
        else
                result = 0;
 
-      cleanup:
-       _gnutls_free_datum(&cert1bin);
        return result;
 }
 
@@ -130,7 +100,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
         */
 
        ret =
-           _gnutls_x509_get_signed_data(issuer->cert, "tbsCertificate",
+           _gnutls_x509_get_signed_data(issuer->cert, &issuer->der, "tbsCertificate",
                                         &issuer_signed_data);
        if (ret < 0) {
                gnutls_assert();
@@ -138,7 +108,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
        }
 
        ret =
-           _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate",
+           _gnutls_x509_get_signed_data(cert->cert, &cert->der, "tbsCertificate",
                                         &cert_signed_data);
        if (ret < 0) {
                gnutls_assert();
@@ -679,7 +649,7 @@ verify_crt(gnutls_x509_crt_t cert,
        }
 
        ret =
-           _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate",
+           _gnutls_x509_get_signed_data(cert->cert, &cert->der, "tbsCertificate",
                                         &cert_signed_data);
        if (ret < 0) {
                result = 0;
@@ -1366,7 +1336,7 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
        }
 
        result =
-           _gnutls_x509_get_signed_data(crl->crl, "tbsCertList",
+           _gnutls_x509_get_signed_data(crl->crl, NULL, "tbsCertList",
                                         &crl_signed_data);
        if (result < 0) {
                gnutls_assert();
index ac12e934d584b7616a9296da182604fabc057e92..aced47a2c77b4fe7e8d4c0c23eb82f89da9bcb2a 100644 (file)
@@ -162,6 +162,7 @@ void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert)
                asn1_delete_structure(&cert->cert);
        gnutls_free(cert->raw_dn.data);
        gnutls_free(cert->raw_issuer_dn.data);
+       gnutls_free(cert->der.data);
        gnutls_free(cert);
 }
 
@@ -186,16 +187,17 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
                       const gnutls_datum_t * data,
                       gnutls_x509_crt_fmt_t format)
 {
-       int result = 0, need_free = 0;
-       gnutls_datum_t _data;
+       int result = 0;
 
        if (cert == NULL) {
                gnutls_assert();
                return GNUTLS_E_INVALID_REQUEST;
        }
 
-       _data.data = data->data;
-       _data.size = data->size;
+       if (cert->der.data) {
+               gnutls_free(cert->der.data);
+               cert->der.data = NULL;
+       }
 
        /* If the Certificate is in PEM format then decode it
         */
@@ -203,22 +205,26 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
                /* Try the first header */
                result =
                    _gnutls_fbase64_decode(PEM_X509_CERT2, data->data,
-                                          data->size, &_data);
+                                          data->size, &cert->der);
 
                if (result <= 0) {
                        /* try for the second header */
                        result =
                            _gnutls_fbase64_decode(PEM_X509_CERT,
                                                   data->data, data->size,
-                                                  &_data);
+                                                  &cert->der);
 
                        if (result < 0) {
                                gnutls_assert();
                                return result;
                        }
                }
-
-               need_free = 1;
+       } else {
+               result = _gnutls_set_datum(&cert->der, data->data, data->size);
+               if (result < 0) {
+                       gnutls_assert();
+                       return result;
+               }
        }
 
        if (cert->expanded) {
@@ -235,14 +241,14 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
        cert->expanded = 1;
 
        result =
-           asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL);
+           asn1_der_decoding(&cert->cert, cert->der.data, cert->der.size, NULL);
        if (result != ASN1_SUCCESS) {
                result = _gnutls_asn2err(result);
                gnutls_assert();
                goto cleanup;
        }
 
-       result = _gnutls_x509_get_raw_dn2(cert->cert, &_data,
+       result = _gnutls_x509_get_raw_dn2(cert->cert, &cert->der,
                                          "tbsCertificate.issuer.rdnSequence",
                                          &cert->raw_issuer_dn);
        if (result < 0) {
@@ -250,7 +256,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
                goto cleanup;
        }
 
-       result = _gnutls_x509_get_raw_dn2(cert->cert, &_data,
+       result = _gnutls_x509_get_raw_dn2(cert->cert, &cert->der,
                                          "tbsCertificate.subject.rdnSequence",
                                          &cert->raw_dn);
        if (result < 0) {
@@ -261,14 +267,11 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
        /* Since we do not want to disable any extension
         */
        cert->use_extensions = 1;
-       if (need_free)
-               _gnutls_free_datum(&_data);
 
        return 0;
 
       cleanup:
-       if (need_free)
-               _gnutls_free_datum(&_data);
+       _gnutls_free_datum(&cert->der);
        _gnutls_free_datum(&cert->raw_dn);
        _gnutls_free_datum(&cert->raw_issuer_dn);
        return result;
index 2137022d6d9b4443ef2c67daec8bffff0f68848d..cf4e1529460226ad4d33dd7ef4f884a3fe5a428d 100644 (file)
@@ -69,6 +69,7 @@ typedef struct gnutls_x509_crt_int {
        gnutls_datum_t raw_dn;
        gnutls_datum_t raw_issuer_dn;
 
+       gnutls_datum_t der;
        struct pin_info_st pin;
 } gnutls_x509_crt_int;