Add X509_REQ_set1_signature_algo and X509_REQ_set1_signature_value.
These are the X509_REQ analogs to
https://boringssl-review.googlesource.com/c/boringssl/+/43784 and
https://boringssl-review.googlesource.com/c/boringssl/+/47525.
The one difference is CSRs do not have the redundant copy of the
signature algorithm, so X509_REQ_set1_signature_algo is a little
simpler.
Change-Id: I5fe27b22b30520c71542d51044b0b16712021f59
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52945
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index 1671f35..a51406b 100644
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -262,8 +262,8 @@
int X509_CRL_set1_signature_algo(X509_CRL *crl, const X509_ALGOR *algo)
{
- /* TODO(davidben): Const-correct generated ASN.1 dup functions.
- * Alternatively, when the types are hidden and we can embed required fields
+ /* TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
+ * should be const. Alternatively, when we can embed required fields
* directly in structs, import |X509_ALGOR_copy| from upstream. */
X509_ALGOR *copy1 = X509_ALGOR_dup((X509_ALGOR *)algo);
X509_ALGOR *copy2 = X509_ALGOR_dup((X509_ALGOR *)algo);
diff --git a/crypto/x509/x509rset.c b/crypto/x509/x509rset.c
index c69f8cb..108485c 100644
--- a/crypto/x509/x509rset.c
+++ b/crypto/x509/x509rset.c
@@ -87,3 +87,29 @@
return (0);
return (X509_PUBKEY_set(&x->req_info->pubkey, pkey));
}
+
+int X509_REQ_set1_signature_algo(X509_REQ *req, const X509_ALGOR *algo)
+{
+ /* TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
+ * should be const. Alternatively, when we can embed required fields
+ * directly in structs, import |X509_ALGOR_copy| from upstream. */
+ X509_ALGOR *copy = X509_ALGOR_dup((X509_ALGOR *)algo);
+ if (copy == NULL) {
+ return 0;
+ }
+
+ X509_ALGOR_free(req->sig_alg);
+ req->sig_alg = copy;
+ return 1;
+}
+
+int X509_REQ_set1_signature_value(X509_REQ *req, const uint8_t *sig,
+ size_t sig_len)
+{
+ if (!ASN1_STRING_set(req->signature, sig, sig_len)) {
+ return 0;
+ }
+ req->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
+ req->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
+ return 1;
+}
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index dfcc72d..37ee975 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -351,8 +351,8 @@
int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo)
{
- /* TODO(davidben): Const-correct generated ASN.1 dup functions.
- * Alternatively, when the types are hidden and we can embed required fields
+ /* TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
+ * should be const. Alternatively, when we can embed required fields
* directly in structs, import |X509_ALGOR_copy| from upstream. */
X509_ALGOR *copy1 = X509_ALGOR_dup((X509_ALGOR *)algo);
X509_ALGOR *copy2 = X509_ALGOR_dup((X509_ALGOR *)algo);
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 4d312c7..945355f 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1191,6 +1191,24 @@
const unsigned char *data,
int len);
+// X509_REQ_set1_signature_algo sets |req|'s signature algorithm to |algo| and
+// returns one on success or zero on error.
+OPENSSL_EXPORT int X509_REQ_set1_signature_algo(X509_REQ *req,
+ const X509_ALGOR *algo);
+
+// X509_REQ_set1_signature_value sets |req|'s signature to a copy of the
+// |sig_len| bytes pointed by |sig|. It returns one on success and zero on
+// error.
+//
+// Due to a specification error, PKCS#10 certificate requests store signatures
+// in ASN.1 BIT STRINGs, but signature algorithms return byte strings rather
+// than bit strings. This function creates a BIT STRING containing a whole
+// number of bytes, with the bit order matching the DER encoding. This matches
+// the encoding used by all X.509 signature algorithms.
+OPENSSL_EXPORT int X509_REQ_set1_signature_value(X509_REQ *req,
+ const uint8_t *sig,
+ size_t sig_len);
+
// X509_CRL_set_version sets |crl|'s version to |version|, which should be one
// of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on
// error.
