Add X509 related libctx changes.#12153
Conversation
slontis
added
approval: review pending
|
The size of PR #11884 is getting quite large - so I have tried to separate out some bits into smaller PR's to make it easier to review. |
|
I have temporarily merged in @levitte code for OPENSSL_CTX_set0_default(). X509_set0_libctx() has been replaced by X509_new_with_libctx() (at least in this PR). NOTE that d2i_X509() calls X509v3_cache_extensions if the cert object is passed in. The ssl tests actually passed!! |
|
Rebased and fixed up documentation. |
|
@mattcaswell - Some X509 functionality has changed in master which caused an unpleasant rebase. |
|
Travis failures are relevant. |
|
Fixed memory leak.. |
include/openssl/store.h
Outdated
There was a problem hiding this comment.
Source code style wise, I believe this isn't OK, as parenthesised things should be aligned with the left parenthesis.
However, I see nothing wrong with this, and I believe it fits our coding style:
OSSL_STORE_CTX *OSSL_STORE_open_with_libctx
(const char *uri, const UI_METHOD *ui_method, void *ui_data,
OSSL_STORE_post_process_info_fn post_process, void *post_process_data,
OPENSSL_CTX *libctx, const char *propq);There was a problem hiding this comment.
Err.. this style is done all over the place and is (arguably) more readable than the proposed alternative.
Just as this is more readable (also arguably)
if (....) {
}
There was a problem hiding this comment.
@levitte are you going to block on either of the above two comments?
There was a problem hiding this comment.
I have no idea how you think a function declaration compares to an if statement. They are completely different in my mind (apart from using parentheses in their respective syntax)
There was a problem hiding this comment.
I feel strongly about the < name, libctx, propq > tuple staying together. The code style issue, less so, but I am worried that we stray more and more from the style guide, and re-create the mess we had before.
(the coding style needs an update, and there's been several proposals, but not final decisions...)
There was a problem hiding this comment.
I have no idea how you think a function declaration compares to an if statement.
As far as I am aware the reason for this format
if () {
}
Is related to scan-ability of the line.
So I am not sure why you think this can't also apply to () when it needs to span multiple lines.
There was a problem hiding this comment.
I have complied in this PR.. It doesn't mean I have to agree :)
|
Tests pass now - look like it is getting close to a final review. |
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.
|
Had to rebase and apply a small change now that #11948 has been merged (which added the env variable to set the app_lib_ctx. |
mattcaswell
left a comment
mattcaswell
left a comment
There was a problem hiding this comment.
All my comments seem to have been addressed and CIs are green. Approving this subject to @levitte's outstanding issues being resolved.
|
Addressed @levitte's comments. |
|
NOTE that does not like I assume it was looking for the '(' on the same line to indicate a function.. So there is still one in store_lib.c |
|
Also removed the dead functions from include/crypto/store.h |
slontis
added
approval: done
|
@levitte function signatures changed now.. Will merge in a few hours in there are no more objections. |
slontis
added
approval: ready to merge
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #12153)
|
Thanks for reviewing. Merged to master. |
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#12153)
4 participants
Checklist