Remove X509_get_pubkey_parameters.

It's never called in outside code. This too seems to be a remnant of the DSA PKIX optional parameter stuff. This is confirmed both by a removed comment and by the brief documentation at http://www.umich.edu/~x509/ssleay/x509_pkey.html RFC 5480 does not allow ECDSA keys to be missing parameters, so this logic is incorrect for ECDSA anyway. It was also failing to check EVP_PKEY_copy_parameters' return value. And that logic looks pretty suspect if you have a chain made up multiple certificate types. Change-Id: Id6c60659a0162356c7f3eae5c797047366baae1c Reviewed-on: https://boringssl-review.googlesource.com/3485 Reviewed-by: Adam Langley <agl@google.com>
2015-02-16 21:15:53 -05:00 · 2015-02-16 21:15:53 -05:00 · dd1ca99da4
commit dd1ca99da4
parent 310db06b79
2 changed files with 1 additions and 52 deletions
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -410,9 +410,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)

 	if (!ok) goto end;

-	/* We may as well copy down any DSA parameters that are required */
-	X509_get_pubkey_parameters(NULL,ctx->chain);
-
 	/* Check revocation status: we do this after copying parameters
 	 * because they may be needed for CRL signature verification.
 	 */
@ -441,12 +438,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	/* If we get this far evaluate policies */
 	if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
 		ok = ctx->check_policy(ctx);
-	if(!ok) goto end;
-	if (0)
-		{
+
 end:
-		X509_get_pubkey_parameters(NULL,ctx->chain);
-		}
 	if (sktmp != NULL) sk_X509_free(sktmp);
 	if (chain_ss != NULL) X509_free(chain_ss);
 	return ok;
@ -1932,48 +1925,6 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
 	return ASN1_TIME_adj(s, t, offset_day, offset_sec);
 	}

-int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
-	{
-	EVP_PKEY *ktmp=NULL,*ktmp2;
-	size_t i,j;
-
-	if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
-
-	for (i=0; i<sk_X509_num(chain); i++)
-		{
-		ktmp=X509_get_pubkey(sk_X509_value(chain,i));
-		if (ktmp == NULL)
-			{
-			OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
-			return 0;
-			}
-		if (!EVP_PKEY_missing_parameters(ktmp))
-			break;
-		else
-			{
-			EVP_PKEY_free(ktmp);
-			ktmp=NULL;
-			}
-		}
-	if (ktmp == NULL)
-		{
-		OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
-		return 0;
-		}
-
-	/* first, populate the other certs */
-	for (j=i-1; j < i; j--)
-		{
-		ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
-		EVP_PKEY_copy_parameters(ktmp2,ktmp);
-		EVP_PKEY_free(ktmp2);
-		}
-	
-	if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
-	EVP_PKEY_free(ktmp);
-	return 1;
-	}
-
 /* Make a delta CRL as the diff between two full CRLs */

 X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@ -748,8 +748,6 @@ DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)

 OPENSSL_EXPORT int		X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
 OPENSSL_EXPORT EVP_PKEY *	X509_PUBKEY_get(X509_PUBKEY *key);
-OPENSSL_EXPORT int		X509_get_pubkey_parameters(EVP_PKEY *pkey,
-					   STACK_OF(X509) *chain);
 OPENSSL_EXPORT int		i2d_PUBKEY(const EVP_PKEY *a,unsigned char **pp);
 OPENSSL_EXPORT EVP_PKEY *	d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
 			long length);