From dd1ca99da4ba21684c4136a4ecb87d291d1792fa Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 16 Feb 2015 21:15:53 -0500 Subject: [PATCH] Remove X509_get_pubkey_parameters. It's never called in outside code. This too seems to be a remnant of the DSA PKIX optional parameter stuff. This is confirmed both by a removed comment and by the brief documentation at http://www.umich.edu/~x509/ssleay/x509_pkey.html RFC 5480 does not allow ECDSA keys to be missing parameters, so this logic is incorrect for ECDSA anyway. It was also failing to check EVP_PKEY_copy_parameters' return value. And that logic looks pretty suspect if you have a chain made up multiple certificate types. Change-Id: Id6c60659a0162356c7f3eae5c797047366baae1c Reviewed-on: https://boringssl-review.googlesource.com/3485 Reviewed-by: Adam Langley --- crypto/x509/x509_vfy.c | 51 +----------------------------------------- include/openssl/x509.h | 2 -- 2 files changed, 1 insertion(+), 52 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 28d2182d..78e70a61 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -410,9 +410,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (!ok) goto end; - /* We may as well copy down any DSA parameters that are required */ - X509_get_pubkey_parameters(NULL,ctx->chain); - /* Check revocation status: we do this after copying parameters * because they may be needed for CRL signature verification. */ @@ -441,12 +438,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); - if(!ok) goto end; - if (0) - { + end: - X509_get_pubkey_parameters(NULL,ctx->chain); - } if (sktmp != NULL) sk_X509_free(sktmp); if (chain_ss != NULL) X509_free(chain_ss); return ok; @@ -1932,48 +1925,6 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, return ASN1_TIME_adj(s, t, offset_day, offset_sec); } -int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) - { - EVP_PKEY *ktmp=NULL,*ktmp2; - size_t i,j; - - if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; - - for (i=0; i