### Changes between 3.6 and 4.0 [xx XXX xxxx]
+ * The `OSSL_ESS_check_signing_certs_ex()` call has been added.
+
+ This api call is an extention to `OSSL_ESS_check_signing_certs()` to add
+ the ability to specify a library context and property query when fetching
+ algorithms to validate a given certificate.
+
+ *Neil Horman*
+
* FIPS self tests can now be deferred and run as needed when installing
the fips module with the -defer_tests option.
ESS_SIGNING_CERT_V2 *ssv2 = NULL;
int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0
&& ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0
- && OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
+ && OSSL_ESS_check_signing_certs_ex(ss, ssv2, chain,
+ ossl_cms_ctx_get0_libctx(si->cms_ctx),
+ ossl_cms_ctx_get0_propq(si->cms_ctx), 1)
+ > 0;
ESS_SIGNING_CERT_free(ss);
ESS_SIGNING_CERT_V2_free(ssv2);
* Return 0 on not found, -1 on error, else 1 + the position in |certs|.
*/
static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
- int index, const STACK_OF(X509) *certs)
+ int index, const STACK_OF(X509) *certs, OSSL_LIB_CTX *libctx, const char *propq)
{
const X509 *cert;
EVP_MD *md = NULL;
else
OBJ_obj2txt(name, sizeof(name), cid_v2->hash_alg->algorithm, 0);
- (void)ERR_set_mark();
- md = EVP_MD_fetch(NULL, name, NULL);
-
- if (md == NULL)
- md = (EVP_MD *)EVP_get_digestbyname(name);
-
+ md = EVP_MD_fetch(libctx, name, propq);
if (md == NULL) {
- (void)ERR_clear_last_mark();
ERR_raise(ERR_LIB_ESS, ESS_R_ESS_DIGEST_ALG_UNKNOWN);
goto end;
}
- (void)ERR_pop_to_mark();
for (i = 0; i < sk_X509_num(certs); ++i) {
cert = sk_X509_value(certs, i);
return ret;
}
-int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
+int OSSL_ESS_check_signing_certs_ex(const ESS_SIGNING_CERT *ss,
const ESS_SIGNING_CERT_V2 *ssv2,
const STACK_OF(X509) *chain,
+ OSSL_LIB_CTX *libctx,
+ const char *propq,
int require_signing_cert)
{
int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids);
}
/* If both ss and ssv2 exist, as required evaluate them independently. */
for (i = 0; i < n_v1; i++) {
- ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain);
+ ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain, libctx, propq);
if (ret <= 0)
return ret;
}
for (i = 0; i < n_v2; i++) {
- ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain);
+ ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain, libctx, propq);
if (ret <= 0)
return ret;
}
return 1;
}
+
+int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
+ const ESS_SIGNING_CERT_V2 *ssv2,
+ const STACK_OF(X509) *chain,
+ int require_signing_cert)
+{
+ return OSSL_ESS_check_signing_certs_ex(ss, ssv2, chain, NULL,
+ NULL, require_signing_cert);
+}
OSSL_ESS_signing_cert_new_init,
OSSL_ESS_signing_cert_v2_new_init,
-OSSL_ESS_check_signing_certs
+OSSL_ESS_check_signing_certs,
+OSSL_ESS_check_signing_certs_ex
- Enhanced Security Services (ESS) functions
=head1 SYNOPSIS
const STACK_OF(X509) *chain,
int require_signing_cert);
+ int OSSL_ESS_check_signing_certs_ex(const ESS_SIGNING_CERT *ss,
+ const ESS_SIGNING_CERT_V2 *ssv2,
+ const STACK_OF(X509) *chain,
+ OSSL_LIB_CTX *libctx,
+ const char *propq,
+ int require_signing_cert);
=head1 DESCRIPTION
OSSL_ESS_signing_cert_new_init() generates a new B<ESS_SIGNING_CERT> structure
if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
it must match the certificate issuer and serial number attributes.
+OSSL_ESS_check_signing_certs_ex() functions identically to OSSL_ESS_check_signing_certs(),
+but offers additional parameters, I<libctx> and I<propq>, for users who wish to specify a nondefault
+library context and property query, when the function fetches digests to validate the certs.
+
=head1 NOTES
ESS has been defined in RFC 2634, which has been updated in RFC 5035
OSSL_ESS_signing_cert_new_init() and OSSL_ESS_signing_cert_v2_new_init()
return a pointer to the new structure or NULL on malloc failure.
-OSSL_ESS_check_signing_certs() returns 1 on success,
+OSSL_ESS_check_signing_certs() and OSSL_ESS_check_signing_certs_ex() return 1 on success,
0 if a required certificate cannot be found, -1 on other error.
=head1 SEE ALSO
OSSL_ESS_signing_cert_new_init(), OSSL_ESS_signing_cert_v2_new_init(), and
OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0.
+OSSL_ESS_check_signing_certs_ex() was added in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
const ESS_SIGNING_CERT_V2 *ssv2,
const STACK_OF(X509) *chain,
int require_signing_cert);
-
+int OSSL_ESS_check_signing_certs_ex(const ESS_SIGNING_CERT *ss,
+ const ESS_SIGNING_CERT_V2 *ssv2,
+ const STACK_OF(X509) *chain,
+ OSSL_LIB_CTX *libctx,
+ const char *propq,
+ int require_signing_cert);
#ifdef __cplusplus
}
#endif
OSSL_ENCODER_CTX_ctrl_string ? 4_0_0 EXIST::FUNCTION:
OPENSSL_sk_set_cmp_thunks ? 4_0_0 EXIST::FUNCTION:
ASN1_BIT_STRING_set1 ? 4_0_0 EXIST::FUNCTION:
+OSSL_ESS_check_signing_certs_ex ? 4_0_0 EXIST::FUNCTION:
projects / thirdparty / openssl.git / commitdiff
