From 99be8ed331d884e77f658bb404b67a42405703e6 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 May 2021 16:45:58 +0100
Subject: Fix cert creation in the store

When we create a cert in the store, make sure we do so with the libctx
and propq associated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15523)
---
 crypto/store/store_result.c | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

(limited to 'crypto/store')

diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c
index 82ec046763..7c48d182a8 100644
--- a/crypto/store/store_result.c
+++ b/crypto/store/store_result.c
@@ -442,8 +442,6 @@ static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
 {
     if (data->object_type == OSSL_OBJECT_UNKNOWN
         || data->object_type == OSSL_OBJECT_CERT) {
-        X509 *cert;
-
         /*
          * In most cases, we can try to interpret the serialized
          * data as a trusted cert (X509 + X509_AUX) and fall back
@@ -454,31 +452,32 @@ static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
          * or not (0).
          */
         int ignore_trusted = 1;
+        X509 *cert = X509_new_ex(libctx, propq);
+
+        if (cert == NULL)
+            return 0;
 
         /* If we have a data type, it should be a PEM name */
         if (data->data_type != NULL
             && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
             ignore_trusted = 0;
 
-        cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
-                            data->octet_data_size);
-        if (cert == NULL && ignore_trusted)
-            cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
-                            data->octet_data_size);
-
-        if (cert != NULL)
-            /* We determined the object type */
-            data->object_type = OSSL_OBJECT_CERT;
-
-        if (cert != NULL && !ossl_x509_set0_libctx(cert, libctx, propq)) {
+        if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data,
+                         data->octet_data_size) == NULL
+            && (!ignore_trusted
+                || d2i_X509(&cert, (const unsigned char **)&data->octet_data,
+                            data->octet_data_size) == NULL)) {
             X509_free(cert);
             cert = NULL;
         }
 
-        if (cert != NULL)
+        if (cert != NULL) {
+            /* We determined the object type */
+            data->object_type = OSSL_OBJECT_CERT;
             *v = OSSL_STORE_INFO_new_CERT(cert);
-        if (*v == NULL)
-            X509_free(cert);
+            if (*v == NULL)
+                X509_free(cert);
+        }
     }
 
     return 1;
-- 
cgit v1.2.1