when importing a certificate, keep the DER data

6 files changed, 44 insertions, 62 deletions

diff --git a/lib/x509/common.c b/lib/x509/common.c
index f31f0cfdd7..cbe96ff28b 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1513,16 +1513,22 @@ _gnutls_x509_get_pk_algorithm(ASN1_TYPE src, const char *src_name,
  * returns them into signed_data.
  */
 int
-_gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
+_gnutls_x509_get_signed_data(ASN1_TYPE src,  const gnutls_datum *_der,
+			     const char *src_name,
 			     gnutls_datum_t * signed_data)
 {
-	gnutls_datum_t der;
 	int start, end, result;
+	gnutls_datum_t der;
 
-	result = _gnutls_x509_der_encode(src, "", &der, 0);
-	if (result < 0) {
-		gnutls_assert();
-		return result;
+	if (_der == NULL) {
+		result = _gnutls_x509_der_encode(src, "", &der, 0);
+		if (result < 0) {
+			gnutls_assert();
+			return result;
+		}
+	} else {
+		der.data = _der->data;
+		der.size = _der->size;
 	}
 
 	/* Get the signed data
@@ -1547,7 +1553,8 @@ _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
 	result = 0;
 
       cleanup:
-	_gnutls_free_datum(&der);
+	if (_der == NULL)
+		_gnutls_free_datum(&der);
 
 	return result;
 }
diff --git a/lib/x509/common.h b/lib/x509/common.h
index 022010df0c..402d242bea 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -154,7 +154,8 @@ int _gnutls_x509_encode_PKI_params(gnutls_datum_t * der,
 int _gnutls_asn1_copy_node(ASN1_TYPE * dst, const char *dst_name,
 			   ASN1_TYPE src, const char *src_name);
 
-int _gnutls_x509_get_signed_data(ASN1_TYPE src, const char *src_name,
+int _gnutls_x509_get_signed_data(ASN1_TYPE src, const gnutls_datum_t *der,
+				 const char *src_name,
 				 gnutls_datum_t * signed_data);
 int _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name,
 			       gnutls_datum_t * signature);
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index 7dac499d5f..ec01ef71b7 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -2532,7 +2532,7 @@ int gnutls_x509_crq_verify(gnutls_x509_crq_t crq, unsigned int flags)
 	gnutls_pk_params_init(&params);
 
 	ret =
-	    _gnutls_x509_get_signed_data(crq->crq,
+	    _gnutls_x509_get_signed_data(crq->crq, NULL,
 					 "certificationRequestInfo",
 					 &data);
 	if (ret < 0) {
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 5cbba8a497..7c36b0a378 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -44,8 +44,6 @@ bool
 _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
 			   gnutls_x509_crt_t cert2)
 {
-	gnutls_datum_t cert1bin = { NULL, 0 }, cert2bin = {
-	NULL, 0};
 	int ret;
 	bool result;
 
@@ -53,29 +51,12 @@ _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
 	if (ret == 0)
 		return 0;
 
-	ret = _gnutls_x509_der_encode(cert1->cert, "", &cert1bin, 0);
-	if (ret < 0) {
-		gnutls_assert();
-		result = 0;
-		goto cleanup;
-	}
-
-	ret = _gnutls_x509_der_encode(cert2->cert, "", &cert2bin, 0);
-	if (ret < 0) {
-		gnutls_assert();
-		result = 0;
-		goto cleanup;
-	}
-
-	if ((cert1bin.size == cert2bin.size) &&
-	    (memcmp(cert1bin.data, cert2bin.data, cert1bin.size) == 0))
+	if ((cert1->der.size == cert2->der.size) &&
+	    (memcmp(cert1->der.data, cert2->der.data, cert1->der.size) == 0))
 		result = 1;
 	else
 		result = 0;
 
-      cleanup:
-	_gnutls_free_datum(&cert1bin);
-	_gnutls_free_datum(&cert2bin);
 	return result;
 }
 
@@ -83,25 +64,14 @@ bool
 _gnutls_check_if_same_cert2(gnutls_x509_crt_t cert1,
 			    gnutls_datum_t * cert2bin)
 {
-	gnutls_datum_t cert1bin = { NULL, 0 };
-	int ret;
 	bool result;
 
-	ret = _gnutls_x509_der_encode(cert1->cert, "", &cert1bin, 0);
-	if (ret < 0) {
-		result = 0;
-		gnutls_assert();
-		goto cleanup;
-	}
-
-	if ((cert1bin.size == cert2bin->size) &&
-	    (memcmp(cert1bin.data, cert2bin->data, cert1bin.size) == 0))
+	if ((cert1->der.size == cert2bin->size) &&
+	    (memcmp(cert1->der.data, cert2bin->data, cert1->der.size) == 0))
 		result = 1;
 	else
 		result = 0;
 
-      cleanup:
-	_gnutls_free_datum(&cert1bin);
 	return result;
 }
 
@@ -130,7 +100,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
 	 */
 
 	ret =
-	    _gnutls_x509_get_signed_data(issuer->cert, "tbsCertificate",
+	    _gnutls_x509_get_signed_data(issuer->cert, &issuer->der, "tbsCertificate",
 					 &issuer_signed_data);
 	if (ret < 0) {
 		gnutls_assert();
@@ -138,7 +108,7 @@ check_if_ca(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,
 	}
 
 	ret =
-	    _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate",
+	    _gnutls_x509_get_signed_data(cert->cert, &cert->der, "tbsCertificate",
 					 &cert_signed_data);
 	if (ret < 0) {
 		gnutls_assert();
@@ -679,7 +649,7 @@ verify_crt(gnutls_x509_crt_t cert,
 	}
 
 	ret =
-	    _gnutls_x509_get_signed_data(cert->cert, "tbsCertificate",
+	    _gnutls_x509_get_signed_data(cert->cert, &cert->der, "tbsCertificate",
 					 &cert_signed_data);
 	if (ret < 0) {
 		result = 0;
@@ -1366,7 +1336,7 @@ gnutls_x509_crl_verify(gnutls_x509_crl_t crl,
 	}
 
 	result =
-	    _gnutls_x509_get_signed_data(crl->crl, "tbsCertList",
+	    _gnutls_x509_get_signed_data(crl->crl, NULL, "tbsCertList",
 					 &crl_signed_data);
 	if (result < 0) {
 		gnutls_assert();
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index ac12e934d5..aced47a2c7 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -162,6 +162,7 @@ void gnutls_x509_crt_deinit(gnutls_x509_crt_t cert)
 		asn1_delete_structure(&cert->cert);
 	gnutls_free(cert->raw_dn.data);
 	gnutls_free(cert->raw_issuer_dn.data);
+	gnutls_free(cert->der.data);
 	gnutls_free(cert);
 }
 
@@ -186,16 +187,17 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 		       const gnutls_datum_t * data,
 		       gnutls_x509_crt_fmt_t format)
 {
-	int result = 0, need_free = 0;
-	gnutls_datum_t _data;
+	int result = 0;
 
 	if (cert == NULL) {
 		gnutls_assert();
 		return GNUTLS_E_INVALID_REQUEST;
 	}
 
-	_data.data = data->data;
-	_data.size = data->size;
+	if (cert->der.data) {
+		gnutls_free(cert->der.data);
+		cert->der.data = NULL;
+	}
 
 	/* If the Certificate is in PEM format then decode it
 	 */
@@ -203,22 +205,26 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 		/* Try the first header */
 		result =
 		    _gnutls_fbase64_decode(PEM_X509_CERT2, data->data,
-					   data->size, &_data);
+					   data->size, &cert->der);
 
 		if (result <= 0) {
 			/* try for the second header */
 			result =
 			    _gnutls_fbase64_decode(PEM_X509_CERT,
 						   data->data, data->size,
-						   &_data);
+						   &cert->der);
 
 			if (result < 0) {
 				gnutls_assert();
 				return result;
 			}
 		}
-
-		need_free = 1;
+	} else {
+		result = _gnutls_set_datum(&cert->der, data->data, data->size);
+		if (result < 0) {
+			gnutls_assert();
+			return result;
+		}
 	}
 
 	if (cert->expanded) {
@@ -235,14 +241,14 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 	cert->expanded = 1;
 
 	result =
-	    asn1_der_decoding(&cert->cert, _data.data, _data.size, NULL);
+	    asn1_der_decoding(&cert->cert, cert->der.data, cert->der.size, NULL);
 	if (result != ASN1_SUCCESS) {
 		result = _gnutls_asn2err(result);
 		gnutls_assert();
 		goto cleanup;
 	}
 
-	result = _gnutls_x509_get_raw_dn2(cert->cert, &_data,
+	result = _gnutls_x509_get_raw_dn2(cert->cert, &cert->der,
 					  "tbsCertificate.issuer.rdnSequence",
 					  &cert->raw_issuer_dn);
 	if (result < 0) {
@@ -250,7 +256,7 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 		goto cleanup;
 	}
 
-	result = _gnutls_x509_get_raw_dn2(cert->cert, &_data,
+	result = _gnutls_x509_get_raw_dn2(cert->cert, &cert->der,
 					  "tbsCertificate.subject.rdnSequence",
 					  &cert->raw_dn);
 	if (result < 0) {
@@ -261,14 +267,11 @@ gnutls_x509_crt_import(gnutls_x509_crt_t cert,
 	/* Since we do not want to disable any extension
 	 */
 	cert->use_extensions = 1;
-	if (need_free)
-		_gnutls_free_datum(&_data);
 
 	return 0;
 
       cleanup:
-	if (need_free)
-		_gnutls_free_datum(&_data);
+	_gnutls_free_datum(&cert->der);
 	_gnutls_free_datum(&cert->raw_dn);
 	_gnutls_free_datum(&cert->raw_issuer_dn);
 	return result;
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 2137022d6d..cf4e152946 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -69,6 +69,7 @@ typedef struct gnutls_x509_crt_int {
 	gnutls_datum_t raw_dn;
 	gnutls_datum_t raw_issuer_dn;
 
+	gnutls_datum_t der;
 	struct pin_info_st pin;
 } gnutls_x509_crt_int;