Update pki to chromium cf9a08ff8be3a3f2d5b13693cc13ef22ab7ee618
Change-Id: I43283162ef356f9e7fb959dbc1ec9e0e98ee83ed
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62385
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: Bob Beck <bbe@google.com>
diff --git a/pki/ocsp.cc b/pki/ocsp.cc
index f02b274..5ccf2e2 100644
--- a/pki/ocsp.cc
+++ b/pki/ocsp.cc
@@ -2,10 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "webutil/url/url.h"
#include "ocsp.h"
-#include "asn1_util.h"
#include "cert_errors.h"
#include "extended_key_usage.h"
#include "parsed_certificate.h"
@@ -13,12 +11,11 @@
#include "string_util.h"
#include "verify_name_match.h"
#include "verify_signed_data.h"
-#include "fillins/x509_util.h"
#include <openssl/bytestring.h>
#include <openssl/digest.h>
#include <openssl/mem.h>
+#include <openssl/pool.h>
#include <openssl/sha.h>
-#include "webutil/url/url.h"
namespace bssl {
@@ -532,13 +529,16 @@
ParseCertificateOptions parse_options;
parse_options.allow_invalid_serial_numbers = true;
+ // The objects returned by this function only last for the duration of a
+ // single certificate verification, so there is no need to pool them to save
+ // memory.
+ //
// TODO(eroman): Swallows the parsing errors. However uses a permissive
// parsing model.
CertErrors errors;
return ParsedCertificate::Create(
- bssl::UniquePtr<CRYPTO_BUFFER>(
- CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(der.data()),
- der.size(), x509_util::GetBufferPool())),
+ bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
+ reinterpret_cast<const uint8_t*>(der.data()), der.size(), nullptr)),
{}, &errors);
}
@@ -1014,19 +1014,20 @@
//
// GET {url}/{url-encoding of base-64 encoding of the DER encoding of
// the OCSPRequest}
-URL CreateOCSPGetURL(const ParsedCertificate* cert,
- const ParsedCertificate* issuer,
- std::string_view ocsp_responder_url) {
+std::optional<std::string> CreateOCSPGetURL(
+ const ParsedCertificate* cert,
+ const ParsedCertificate* issuer,
+ std::string_view ocsp_responder_url) {
std::vector<uint8_t> ocsp_request_der;
if (!CreateOCSPRequest(cert, issuer, &ocsp_request_der)) {
// Unexpected (means BoringSSL failed an operation).
- return URL();
+ return std::nullopt;
}
// Base64 encode the request data.
size_t len;
if (!EVP_EncodedLength(&len, ocsp_request_der.size())) {
- return URL();
+ return std::nullopt;
}
std::vector<uint8_t> encoded(len);
len = EVP_EncodeBlock(encoded.data(), ocsp_request_der.data(),
@@ -1044,7 +1045,7 @@
// No attempt is made to collapse double slashes for URLs that end in slash,
// since the spec doesn't do that.
- return URL(std::string(ocsp_responder_url) + "/" + b64_encoded);
+ return std::string(ocsp_responder_url) + "/" + b64_encoded;
}
} // namespace net
diff --git a/pki/ocsp.h b/pki/ocsp.h
index 496378b..69c41c8 100644
--- a/pki/ocsp.h
+++ b/pki/ocsp.h
@@ -6,21 +6,18 @@
#define BSSL_PKI_OCSP_H_
#include "fillins/openssl_util.h"
-#include "webutil/url/url.h"
#include <memory>
+#include <string>
#include <vector>
#include "ocsp_revocation_status.h"
#include "ocsp_verify_result.h"
-#include "parse_certificate.h"
#include "signature_algorithm.h"
#include "input.h"
#include "parse_values.h"
#include "parser.h"
-#include "tag.h"
-
-class URL;
+#include <optional>
namespace bssl {
@@ -315,9 +312,10 @@
std::vector<uint8_t>* request_der);
// Creates a URL to issue a GET request for OCSP information for |cert|.
-OPENSSL_EXPORT URL CreateOCSPGetURL(const ParsedCertificate* cert,
- const ParsedCertificate* issuer,
- std::string_view ocsp_responder_url);
+OPENSSL_EXPORT std::optional<std::string> CreateOCSPGetURL(
+ const ParsedCertificate* cert,
+ const ParsedCertificate* issuer,
+ std::string_view ocsp_responder_url);
} // namespace net
diff --git a/pki/ocsp_unittest.cc b/pki/ocsp_unittest.cc
index 32fc1f3..06a012b 100644
--- a/pki/ocsp_unittest.cc
+++ b/pki/ocsp_unittest.cc
@@ -2,7 +2,6 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-#include "webutil/url/url.h"
#include "ocsp.h"
#include "string_util.h"
@@ -11,7 +10,6 @@
#include <gtest/gtest.h>
#include <openssl/base64.h>
#include <openssl/pool.h>
-#include "webutil/url/url.h"
namespace bssl {
@@ -214,13 +212,15 @@
std::shared_ptr<const ParsedCertificate> issuer = ParseCertificate(ca_data);
ASSERT_TRUE(issuer);
- URL url = CreateOCSPGetURL(cert.get(), issuer.get(), GetParam());
+ std::optional<std::string> url =
+ CreateOCSPGetURL(cert.get(), issuer.get(), GetParam());
+ ASSERT_TRUE(url);
// Try to extract the encoded data and compare against |request_data|.
//
// A known answer output test would be better as this just reverses the logic
// from the implementation file.
- std::string b64 = url.spec().substr(GetParam().size() + 1);
+ std::string b64 = url->substr(GetParam().size() + 1);
// Hex un-escape the data.
b64 = bssl::string_util::FindAndReplace(b64, "%2B", "+");
diff --git a/pki/path_builder.h b/pki/path_builder.h
index b1f03fa..f5b8a91 100644
--- a/pki/path_builder.h
+++ b/pki/path_builder.h
@@ -223,7 +223,7 @@
Result out_result_;
std::unique_ptr<CertPathIter> cert_path_iter_;
- CertPathBuilderDelegate * delegate_;
+ CertPathBuilderDelegate* delegate_;
const der::GeneralizedTime time_;
const KeyPurpose key_purpose_;
const InitialExplicitPolicy initial_explicit_policy_;
