Update pki to chromium cf9a08ff8be3a3f2d5b13693cc13ef22ab7ee618

Change-Id: I43283162ef356f9e7fb959dbc1ec9e0e98ee83ed
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62385
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: Bob Beck <bbe@google.com>
chromium-stable
Bob Beck 1 year ago committed by Boringssl LUCI CQ
parent b8e012e1ff
commit 300f221882
  1. 27
      pki/ocsp.cc
  2. 14
      pki/ocsp.h
  3. 8
      pki/ocsp_unittest.cc
  4. 2
      pki/path_builder.h

@ -2,10 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "webutil/url/url.h"
#include "ocsp.h"
#include "asn1_util.h"
#include "cert_errors.h"
#include "extended_key_usage.h"
#include "parsed_certificate.h"
@ -13,12 +11,11 @@
#include "string_util.h"
#include "verify_name_match.h"
#include "verify_signed_data.h"
#include "fillins/x509_util.h"
#include <openssl/bytestring.h>
#include <openssl/digest.h>
#include <openssl/mem.h>
#include <openssl/pool.h>
#include <openssl/sha.h>
#include "webutil/url/url.h"
namespace bssl {
@ -532,13 +529,16 @@ std::shared_ptr<const ParsedCertificate> OCSPParseCertificate(
ParseCertificateOptions parse_options;
parse_options.allow_invalid_serial_numbers = true;
// The objects returned by this function only last for the duration of a
// single certificate verification, so there is no need to pool them to save
// memory.
//
// TODO(eroman): Swallows the parsing errors. However uses a permissive
// parsing model.
CertErrors errors;
return ParsedCertificate::Create(
bssl::UniquePtr<CRYPTO_BUFFER>(
CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(der.data()),
der.size(), x509_util::GetBufferPool())),
bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
reinterpret_cast<const uint8_t*>(der.data()), der.size(), nullptr)),
{}, &errors);
}
@ -1014,19 +1014,20 @@ bool CreateOCSPRequest(const ParsedCertificate* cert,
//
// GET {url}/{url-encoding of base-64 encoding of the DER encoding of
// the OCSPRequest}
URL CreateOCSPGetURL(const ParsedCertificate* cert,
const ParsedCertificate* issuer,
std::string_view ocsp_responder_url) {
std::optional<std::string> CreateOCSPGetURL(
const ParsedCertificate* cert,
const ParsedCertificate* issuer,
std::string_view ocsp_responder_url) {
std::vector<uint8_t> ocsp_request_der;
if (!CreateOCSPRequest(cert, issuer, &ocsp_request_der)) {
// Unexpected (means BoringSSL failed an operation).
return URL();
return std::nullopt;
}
// Base64 encode the request data.
size_t len;
if (!EVP_EncodedLength(&len, ocsp_request_der.size())) {
return URL();
return std::nullopt;
}
std::vector<uint8_t> encoded(len);
len = EVP_EncodeBlock(encoded.data(), ocsp_request_der.data(),
@ -1044,7 +1045,7 @@ URL CreateOCSPGetURL(const ParsedCertificate* cert,
// No attempt is made to collapse double slashes for URLs that end in slash,
// since the spec doesn't do that.
return URL(std::string(ocsp_responder_url) + "/" + b64_encoded);
return std::string(ocsp_responder_url) + "/" + b64_encoded;
}
} // namespace net

@ -6,21 +6,18 @@
#define BSSL_PKI_OCSP_H_
#include "fillins/openssl_util.h"
#include "webutil/url/url.h"
#include <memory>
#include <string>
#include <vector>
#include "ocsp_revocation_status.h"
#include "ocsp_verify_result.h"
#include "parse_certificate.h"
#include "signature_algorithm.h"
#include "input.h"
#include "parse_values.h"
#include "parser.h"
#include "tag.h"
class URL;
#include <optional>
namespace bssl {
@ -315,9 +312,10 @@ OPENSSL_EXPORT bool CreateOCSPRequest(const ParsedCertificate* cert,
std::vector<uint8_t>* request_der);
// Creates a URL to issue a GET request for OCSP information for |cert|.
OPENSSL_EXPORT URL CreateOCSPGetURL(const ParsedCertificate* cert,
const ParsedCertificate* issuer,
std::string_view ocsp_responder_url);
OPENSSL_EXPORT std::optional<std::string> CreateOCSPGetURL(
const ParsedCertificate* cert,
const ParsedCertificate* issuer,
std::string_view ocsp_responder_url);
} // namespace net

@ -2,7 +2,6 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "webutil/url/url.h"
#include "ocsp.h"
#include "string_util.h"
@ -11,7 +10,6 @@
#include <gtest/gtest.h>
#include <openssl/base64.h>
#include <openssl/pool.h>
#include "webutil/url/url.h"
namespace bssl {
@ -214,13 +212,15 @@ TEST_P(CreateOCSPGetURLTest, Basic) {
std::shared_ptr<const ParsedCertificate> issuer = ParseCertificate(ca_data);
ASSERT_TRUE(issuer);
URL url = CreateOCSPGetURL(cert.get(), issuer.get(), GetParam());
std::optional<std::string> url =
CreateOCSPGetURL(cert.get(), issuer.get(), GetParam());
ASSERT_TRUE(url);
// Try to extract the encoded data and compare against |request_data|.
//
// A known answer output test would be better as this just reverses the logic
// from the implementation file.
std::string b64 = url.spec().substr(GetParam().size() + 1);
std::string b64 = url->substr(GetParam().size() + 1);
// Hex un-escape the data.
b64 = bssl::string_util::FindAndReplace(b64, "%2B", "+");

@ -223,7 +223,7 @@ class OPENSSL_EXPORT CertPathBuilder {
Result out_result_;
std::unique_ptr<CertPathIter> cert_path_iter_;
CertPathBuilderDelegate * delegate_;
CertPathBuilderDelegate* delegate_;
const der::GeneralizedTime time_;
const KeyPurpose key_purpose_;
const InitialExplicitPolicy initial_explicit_policy_;

Loading…
Cancel
Save