get_issuer can never return -1
The -1 cases were all removed in
https://boringssl-review.googlesource.com/c/boringssl/+/8303, so we can
simplify things. This removes almost all cases where X509_verify_cert
could have returned -1.
As part of this, align the get_issuer and find_issuer calling
conventions. Also rename it to get_trusted_issuer to make it clearer
that this is only searches for trusted certs.
Change-Id: I586d037106bb74887738a342d222948db8e49d53
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65088
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index b0dc725..893bf42 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -3071,6 +3071,19 @@
OPENSSL_EXPORT int X509_check_ip_asc(const X509 *x509, const char *ipasc,
unsigned int flags);
+// X509_STORE_CTX_get1_issuer looks up a candidate trusted issuer for |x509| out
+// of |ctx|'s |X509_STORE|, based on the criteria in |X509_check_issued|. If one
+// was found, it returns one and sets |*out_issuer| to the issuer. The caller
+// must release |*out_issuer| with |X509_free| when done. If none was found, it
+// returns zero and leaves |*out_issuer| unchanged.
+//
+// This function only searches for trusted issuers. It does not consider
+// untrusted intermediates passed in to |X509_STORE_CTX_init|.
+//
+// TODO(crbug.com/boringssl/407): |x509| should be const.
+OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **out_issuer,
+ X509_STORE_CTX *ctx, X509 *x509);
+
// X.509 information.
//
@@ -3787,9 +3800,6 @@
// on error.
OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void);
-OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **issuer,
- X509_STORE_CTX *ctx, X509 *x);
-
// X509_STORE_CTX_free releases memory associated with |ctx|.
OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
