Make X509_verify() libctx aware#11507
Conversation
doc/man3/X509_sign.pod
Outdated
There was a problem hiding this comment.
Hmm. I actually think X509_verify_ex should come first. That is the way it is described in the text below. So, for consistency I also moved X509_REQ_verify_ex to be before X509_REQ_verify
mattcaswell
force-pushed
the
x509_verify_ex
branch
from
e9a079e to
a1f4d6a
Compare
|
Fixups pushed. I also rebased to fix a conflict with master. |
|
Travis failure is strange but unrelated to this PR. |
|
Ping? |
doc/man3/X509_sign.pod
Outdated
There was a problem hiding this comment.
Should we have a libctx reference here also?
slontis
left a comment
slontis
left a comment
There was a problem hiding this comment.
Apart from a nit it looks good to me.
mattcaswell
force-pushed
the
x509_verify_ex
branch
from
1e11f67 to
5249b2c
Compare
|
Fixup pushed addressing the nit. Also rebased to resolve conflicts with master. |
doc/man3/X509_sign.pod
Outdated
There was a problem hiding this comment.
Hmm... should we have also X509_CRL_verify_ex?
There was a problem hiding this comment.
Perhaps, and I did consider it. However, X509_CRL_verify is implemented differently to the other 2 I updated and it looked more complicated to change. Since I don't need to do that now for alpha1 I opted to exclude it from this PR.
mattcaswell
force-pushed
the
x509_verify_ex
branch
from
756dcb9 to
e6e3eb3
Compare
This is the same as X509_verify() except that it takes a libctx and propq parameter and signature verification is done using those.
The internal version is library context aware.
mattcaswell
force-pushed
the
x509_verify_ex
branch
from
e6e3eb3 to
8c23693
Compare
|
Fixup commit pushed addressing feedback above. I also rebased (twice!) to fix conflicts with master. Please take another look. |
t8m
left a comment
t8m
left a comment
There was a problem hiding this comment.
Approved if CI passes (seems to be overwhelmed by the churn of PRs).
mattcaswell
added
the
approval: done
|
Pushed. Thanks! |
This is the same as X509_verify() except that it takes a libctx and propq parameter and signature verification is done using those. Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #11507)
The internal version is library context aware. Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #11507)
Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #11507)
3 participants
X509_verify() validates the signature in an X509 cert. We should make sure we use a library ctx and property query string for fetching any algorithms. Therefore we introduce X509_verify_ex().
I've also included a second loosely related commit which gives us an internal version of X509_check_issued() which is library ctx aware. We don't actually need this to be public (you can achieve the same thing via other means) - but it makes our internal code a bit neater doing things this way.
This is required for alpha1.