Drop cached certificate signature validity flag

It seems risky in the context of cross-signed certificates when the same certificate might have multiple potential issuers. Also rarely used, since chains in OpenSSL typically only employ self-signed trust-anchors, whose self-signatures are not checked, while untrusted certificates are generally ephemeral. (Imported from upstream's 0e76014e584ba78ef1d6ecb4572391ef61c4fb51.) This is in master and not 1.0.2, but having a per-certificate signature cache when this is a function of signature and issuer seems dubious at best. Thanks to Viktor Dukhovni for pointing this change out to me. (And for making the original change upstream, of course.) Change-Id: Ie692d651726f14aeba6eaab03ac918fcaedb4eeb Reviewed-on: https://boringssl-review.googlesource.com/8880 Reviewed-by: Adam Langley <agl@google.com>
2016-07-21 02:21:48 +02:00 · 2016-07-21 02:21:48 +02:00 · 00d7a7cee7
commit 00d7a7cee7
parent 84f8551753
3 changed files with 1 additions and 7 deletions
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -1753,9 +1753,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
         * explicitly asked for. It doesn't add any security and just wastes
         * time.
         */
-        if (!xs->valid
-            && (xs != xi
-                || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+        if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
            if ((pkey = X509_get_pubkey(xi)) == NULL) {
                ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
                ctx->current_cert = xi;
@ -1775,8 +1773,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
            pkey = NULL;
        }

-        xs->valid = 1;
-
 check_cert:
        ok = check_cert_time(ctx, xs);
        if (!ok)
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@ -96,7 +96,6 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
    switch (operation) {

    case ASN1_OP_NEW_POST:
-        ret->valid = 0;
        ret->name = NULL;
        ret->ex_flags = 0;
        ret->ex_pathlen = -1;
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@ -243,7 +243,6 @@ struct x509_st
 	X509_CINF *cert_info;
 	X509_ALGOR *sig_alg;
 	ASN1_BIT_STRING *signature;
-	int valid;
 	CRYPTO_refcount_t references;
 	char *name;
 	CRYPTO_EX_DATA ex_data;