From 300f221882f8f25581d49f3c5d168985de50ace9 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Wed, 16 Aug 2023 22:18:25 +0000 Subject: [PATCH] Update pki to chromium cf9a08ff8be3a3f2d5b13693cc13ef22ab7ee618 Change-Id: I43283162ef356f9e7fb959dbc1ec9e0e98ee83ed Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62385 Commit-Queue: Bob Beck Reviewed-by: David Benjamin Commit-Queue: David Benjamin Auto-Submit: Bob Beck --- pki/ocsp.cc | 27 ++++++++++++++------------- pki/ocsp.h | 14 ++++++-------- pki/ocsp_unittest.cc | 8 ++++---- pki/path_builder.h | 2 +- 4 files changed, 25 insertions(+), 26 deletions(-) diff --git a/pki/ocsp.cc b/pki/ocsp.cc index f02b27440..5ccf2e2d8 100644 --- a/pki/ocsp.cc +++ b/pki/ocsp.cc @@ -2,10 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "webutil/url/url.h" #include "ocsp.h" -#include "asn1_util.h" #include "cert_errors.h" #include "extended_key_usage.h" #include "parsed_certificate.h" @@ -13,12 +11,11 @@ #include "string_util.h" #include "verify_name_match.h" #include "verify_signed_data.h" -#include "fillins/x509_util.h" #include #include #include +#include #include -#include "webutil/url/url.h" namespace bssl { @@ -532,13 +529,16 @@ std::shared_ptr OCSPParseCertificate( ParseCertificateOptions parse_options; parse_options.allow_invalid_serial_numbers = true; + // The objects returned by this function only last for the duration of a + // single certificate verification, so there is no need to pool them to save + // memory. + // // TODO(eroman): Swallows the parsing errors. However uses a permissive // parsing model. CertErrors errors; return ParsedCertificate::Create( - bssl::UniquePtr( - CRYPTO_BUFFER_new(reinterpret_cast(der.data()), - der.size(), x509_util::GetBufferPool())), + bssl::UniquePtr(CRYPTO_BUFFER_new( + reinterpret_cast(der.data()), der.size(), nullptr)), {}, &errors); } @@ -1014,19 +1014,20 @@ bool CreateOCSPRequest(const ParsedCertificate* cert, // // GET {url}/{url-encoding of base-64 encoding of the DER encoding of // the OCSPRequest} -URL CreateOCSPGetURL(const ParsedCertificate* cert, - const ParsedCertificate* issuer, - std::string_view ocsp_responder_url) { +std::optional CreateOCSPGetURL( + const ParsedCertificate* cert, + const ParsedCertificate* issuer, + std::string_view ocsp_responder_url) { std::vector ocsp_request_der; if (!CreateOCSPRequest(cert, issuer, &ocsp_request_der)) { // Unexpected (means BoringSSL failed an operation). - return URL(); + return std::nullopt; } // Base64 encode the request data. size_t len; if (!EVP_EncodedLength(&len, ocsp_request_der.size())) { - return URL(); + return std::nullopt; } std::vector encoded(len); len = EVP_EncodeBlock(encoded.data(), ocsp_request_der.data(), @@ -1044,7 +1045,7 @@ URL CreateOCSPGetURL(const ParsedCertificate* cert, // No attempt is made to collapse double slashes for URLs that end in slash, // since the spec doesn't do that. - return URL(std::string(ocsp_responder_url) + "/" + b64_encoded); + return std::string(ocsp_responder_url) + "/" + b64_encoded; } } // namespace net diff --git a/pki/ocsp.h b/pki/ocsp.h index 496378bfb..69c41c8ed 100644 --- a/pki/ocsp.h +++ b/pki/ocsp.h @@ -6,21 +6,18 @@ #define BSSL_PKI_OCSP_H_ #include "fillins/openssl_util.h" -#include "webutil/url/url.h" #include +#include #include #include "ocsp_revocation_status.h" #include "ocsp_verify_result.h" -#include "parse_certificate.h" #include "signature_algorithm.h" #include "input.h" #include "parse_values.h" #include "parser.h" -#include "tag.h" - -class URL; +#include namespace bssl { @@ -315,9 +312,10 @@ OPENSSL_EXPORT bool CreateOCSPRequest(const ParsedCertificate* cert, std::vector* request_der); // Creates a URL to issue a GET request for OCSP information for |cert|. -OPENSSL_EXPORT URL CreateOCSPGetURL(const ParsedCertificate* cert, - const ParsedCertificate* issuer, - std::string_view ocsp_responder_url); +OPENSSL_EXPORT std::optional CreateOCSPGetURL( + const ParsedCertificate* cert, + const ParsedCertificate* issuer, + std::string_view ocsp_responder_url); } // namespace net diff --git a/pki/ocsp_unittest.cc b/pki/ocsp_unittest.cc index 32fc1f339..06a012b2c 100644 --- a/pki/ocsp_unittest.cc +++ b/pki/ocsp_unittest.cc @@ -2,7 +2,6 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "webutil/url/url.h" #include "ocsp.h" #include "string_util.h" @@ -11,7 +10,6 @@ #include #include #include -#include "webutil/url/url.h" namespace bssl { @@ -214,13 +212,15 @@ TEST_P(CreateOCSPGetURLTest, Basic) { std::shared_ptr issuer = ParseCertificate(ca_data); ASSERT_TRUE(issuer); - URL url = CreateOCSPGetURL(cert.get(), issuer.get(), GetParam()); + std::optional url = + CreateOCSPGetURL(cert.get(), issuer.get(), GetParam()); + ASSERT_TRUE(url); // Try to extract the encoded data and compare against |request_data|. // // A known answer output test would be better as this just reverses the logic // from the implementation file. - std::string b64 = url.spec().substr(GetParam().size() + 1); + std::string b64 = url->substr(GetParam().size() + 1); // Hex un-escape the data. b64 = bssl::string_util::FindAndReplace(b64, "%2B", "+"); diff --git a/pki/path_builder.h b/pki/path_builder.h index b1f03faa4..f5b8a9147 100644 --- a/pki/path_builder.h +++ b/pki/path_builder.h @@ -223,7 +223,7 @@ class OPENSSL_EXPORT CertPathBuilder { Result out_result_; std::unique_ptr cert_path_iter_; - CertPathBuilderDelegate * delegate_; + CertPathBuilderDelegate* delegate_; const der::GeneralizedTime time_; const KeyPurpose key_purpose_; const InitialExplicitPolicy initial_explicit_policy_;