Don't use |X509| objects in |CERT|, by default.
This change converts the |CERT| struct to holding certificates as binary
blobs, rather than in parsed form. The members for holding the parsed
form are still there, however, but are only used as a cache for the
event that someone asks us for a non-owning pointer to the parsed leaf
or chain.
Next steps:
* Move more functions in to ssl_x509.c
* Create an X509_OPS struct of function pointers that will hang off
the |SSL_METHOD| to abstract out the current calls to crypto/x509
operations.
BUG=chromium:671420
Change-Id: Ifa05d88c49a987fd561b349705c9c48f106ec868
Reviewed-on: https://boringssl-review.googlesource.com/13280
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/internal.h b/ssl/internal.h
index ed3f62c..8b94689 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -773,10 +773,6 @@
CBS *cbs,
CRYPTO_BUFFER_POOL *pool);
-/* ssl_add_cert_to_cbb adds |x509| to |cbb|. It returns one on success and zero
- * on error. */
-int ssl_add_cert_to_cbb(CBB *cbb, X509 *x509);
-
/* ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used
* by a TLS Certificate message. If there is no certificate chain, it emits an
* empty certificate list. It returns one on success and zero on error. */
@@ -1235,9 +1231,25 @@
typedef struct cert_st {
EVP_PKEY *privatekey;
- X509 *x509_leaf;
+
+ /* chain contains the certificate chain, with the leaf at the beginning. The
+ * first element of |chain| may be NULL to indicate that the leaf certificate
+ * has not yet been set.
+ * If |chain| != NULL -> len(chain) >= 1
+ * If |chain[0]| == NULL -> len(chain) >= 2.
+ * |chain[1..]| != NULL */
+ STACK_OF(CRYPTO_BUFFER) *chain;
+
+ /* x509_chain may contain a parsed copy of |chain[1..]|. This is only used as
+ * a cache in order to implement “get0” functions that return a non-owning
+ * pointer to the certificate chain. */
STACK_OF(X509) *x509_chain;
+ /* x509_leaf may contain a parsed copy of the first element of |chain|. This
+ * is only used as a cache in order to implement “get0” functions that return
+ * a non-owning pointer to the certificate chain. */
+ X509 *x509_leaf;
+
/* key_method, if non-NULL, is a set of callbacks to call for private key
* operations. */
const SSL_PRIVATE_KEY_METHOD *key_method;
@@ -1685,6 +1697,10 @@
CERT *ssl_cert_dup(CERT *cert);
void ssl_cert_clear_certs(CERT *c);
void ssl_cert_free(CERT *c);
+CRYPTO_BUFFER *x509_to_buffer(X509 *x509);
+void ssl_cert_flush_cached_x509_leaf(CERT *cert);
+int ssl_cert_cache_leaf_cert(CERT *cert);
+int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey);
int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server);
int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session);
