Fix no longer implicitly refresh the cached TBSCertificate

This reverts commit 9249a34b076df9a9d55ab74ab465d336980cae6a. Fixes #19388 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19393)
author: Gibeom Gwon <gb.gwon@stackframe.dev> 2022-10-12 02:53:00 +0900
committer: Tomas Mraz <tomas@openssl.org> 2022-10-20 17:02:32 +0200
commit: 963e0bc43369a6dbe6644f709630f6c9f63dccf9 (patch)
tree: 95ccc46631b1e8a802d43d46d786564648b02e76 /crypto
parent: cd6e89b6b6ebe204cc442da9b563213bd67eb27f (diff)
download: openssl-new-963e0bc43369a6dbe6644f709630f6c9f63dccf9.tar.gz
1 files changed, 32 insertions, 48 deletions
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index a8d36f1e59..b7806c1ec1 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -59,34 +59,34 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    int ret;
-
     if (x == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
         return 0;
     }
-    ret = ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
-                            &x->sig_alg, &x->signature, &x->cert_info, NULL,
-                            pkey, md, x->libctx, x->propq);
-    if (ret > 0)
-        x->cert_info.enc.modified = 1;
-    return ret;
+
+    /*
+     * Setting the modified flag before signing it. This makes the cached
+     * encoding to be ignored, so even if the certificate fields have changed,
+     * they are signed correctly.
+     * The X509_sign_ctx, X509_REQ_sign{,_ctx}, X509_CRL_sign{,_ctx} functions
+     * which exist below are the same.
+     */
+    x->cert_info.enc.modified = 1;
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+                             &x->sig_alg, &x->signature, &x->cert_info, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
 {
-    int ret;
-
     if (x == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
         return 0;
     }
-    ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
-                             &x->cert_info.signature,
-                             &x->sig_alg, &x->signature, &x->cert_info, ctx);
-    if (ret > 0)
-        x->cert_info.enc.modified = 1;
-    return ret;
+    x->cert_info.enc.modified = 1;
+    return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
+                              &x->cert_info.signature,
+                              &x->sig_alg, &x->signature, &x->cert_info, ctx);
 }
 
 static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio,
@@ -111,66 +111,50 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
 
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    int ret;
-
     if (x == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
         return 0;
     }
-    ret = ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
-                            x->signature, &x->req_info, NULL,
-                            pkey, md, x->libctx, x->propq);
-    if (ret > 0)
-        x->req_info.enc.modified = 1;
-    return ret;
+    x->req_info.enc.modified = 1;
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+                             x->signature, &x->req_info, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
 {
-    int ret;
-
     if (x == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
         return 0;
     }
-    ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
-                             &x->sig_alg, NULL, x->signature, &x->req_info,
-                             ctx);
-    if (ret > 0)
-        x->req_info.enc.modified = 1;
-    return ret;
+    x->req_info.enc.modified = 1;
+    return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
+                              &x->sig_alg, NULL, x->signature, &x->req_info,
+                              ctx);
 }
 
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    int ret;
-
     if (x == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
         return 0;
     }
-    ret = ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
-                            &x->sig_alg, &x->signature, &x->crl, NULL,
-                            pkey, md, x->libctx, x->propq);
-    if (ret > 0)
-        x->crl.enc.modified = 1;
-    return ret;
+    x->crl.enc.modified = 1;
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+                             &x->sig_alg, &x->signature, &x->crl, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
 {
-    int ret;
-
     if (x == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
         return 0;
     }
-    ret = ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
-                             &x->crl.sig_alg, &x->sig_alg, &x->signature,
-                             &x->crl, ctx);
-    if (ret > 0)
-        x->crl.enc.modified = 1;
-    return ret;
+    x->crl.enc.modified = 1;
+    return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
+                              &x->crl.sig_alg, &x->sig_alg, &x->signature,
+                              &x->crl, ctx);
 }
 
 X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
author	Gibeom Gwon <gb.gwon@stackframe.dev>	2022-10-12 02:53:00 +0900
committer	Tomas Mraz <tomas@openssl.org>	2022-10-20 17:02:32 +0200
commit	963e0bc43369a6dbe6644f709630f6c9f63dccf9 (patch)
tree	95ccc46631b1e8a802d43d46d786564648b02e76 /crypto
parent	cd6e89b6b6ebe204cc442da9b563213bd67eb27f (diff)
download	openssl-new-963e0bc43369a6dbe6644f709630f6c9f63dccf9.tar.gz