Remove X509_get_pubkey_parameters.
It's never called in outside code. This too seems to be a remnant of the DSA
PKIX optional parameter stuff. This is confirmed both by a removed comment and
by the brief documentation at http://www.umich.edu/~x509/ssleay/x509_pkey.html
RFC 5480 does not allow ECDSA keys to be missing parameters, so this logic is
incorrect for ECDSA anyway. It was also failing to check
EVP_PKEY_copy_parameters' return value. And that logic looks pretty suspect if
you have a chain made up multiple certificate types.
Change-Id: Id6c60659a0162356c7f3eae5c797047366baae1c
Reviewed-on: https://boringssl-review.googlesource.com/3485
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 28d2182..78e70a6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -410,9 +410,6 @@
if (!ok) goto end;
- /* We may as well copy down any DSA parameters that are required */
- X509_get_pubkey_parameters(NULL,ctx->chain);
-
/* Check revocation status: we do this after copying parameters
* because they may be needed for CRL signature verification.
*/
@@ -441,12 +438,8 @@
/* If we get this far evaluate policies */
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
- if(!ok) goto end;
- if (0)
- {
+
end:
- X509_get_pubkey_parameters(NULL,ctx->chain);
- }
if (sktmp != NULL) sk_X509_free(sktmp);
if (chain_ss != NULL) X509_free(chain_ss);
return ok;
@@ -1932,48 +1925,6 @@
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
-int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
- {
- EVP_PKEY *ktmp=NULL,*ktmp2;
- size_t i,j;
-
- if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
-
- for (i=0; i<sk_X509_num(chain); i++)
- {
- ktmp=X509_get_pubkey(sk_X509_value(chain,i));
- if (ktmp == NULL)
- {
- OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
- return 0;
- }
- if (!EVP_PKEY_missing_parameters(ktmp))
- break;
- else
- {
- EVP_PKEY_free(ktmp);
- ktmp=NULL;
- }
- }
- if (ktmp == NULL)
- {
- OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
- return 0;
- }
-
- /* first, populate the other certs */
- for (j=i-1; j < i; j--)
- {
- ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
- EVP_PKEY_copy_parameters(ktmp2,ktmp);
- EVP_PKEY_free(ktmp2);
- }
-
- if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
- EVP_PKEY_free(ktmp);
- return 1;
- }
-
/* Make a delta CRL as the diff between two full CRLs */
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index f500876..acdab6e 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -748,8 +748,6 @@
OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
OPENSSL_EXPORT EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key);
-OPENSSL_EXPORT int X509_get_pubkey_parameters(EVP_PKEY *pkey,
- STACK_OF(X509) *chain);
OPENSSL_EXPORT int i2d_PUBKEY(const EVP_PKEY *a,unsigned char **pp);
OPENSSL_EXPORT EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
long length);
