Update pki to chromium cf9a08ff8be3a3f2d5b13693cc13ef22ab7ee618

Change-Id: I43283162ef356f9e7fb959dbc1ec9e0e98ee83ed Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62385 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com>
1 year ago · 300f221882
parent b8e012e1ff
commit 300f221882
4 changed files with 25 additions and 26 deletions
--- a/pki/ocsp.cc
+++ b/pki/ocsp.cc
@ -2,10 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-#include "webutil/url/url.h"
 #include "ocsp.h"

-#include "asn1_util.h"
 #include "cert_errors.h"
 #include "extended_key_usage.h"
 #include "parsed_certificate.h"
@ -13,12 +11,11 @@
 #include "string_util.h"
 #include "verify_name_match.h"
 #include "verify_signed_data.h"
-#include "fillins/x509_util.h"
 #include <openssl/bytestring.h>
 #include <openssl/digest.h>
 #include <openssl/mem.h>
+#include <openssl/pool.h>
 #include <openssl/sha.h>
-#include "webutil/url/url.h"

 namespace bssl {

@ -532,13 +529,16 @@ std::shared_ptr<const ParsedCertificate> OCSPParseCertificate(
  ParseCertificateOptions parse_options;
  parse_options.allow_invalid_serial_numbers = true;

+  // The objects returned by this function only last for the duration of a
+  // single certificate verification, so there is no need to pool them to save
+  // memory.
+  //
  // TODO(eroman): Swallows the parsing errors. However uses a permissive
  // parsing model.
  CertErrors errors;
  return ParsedCertificate::Create(
-      bssl::UniquePtr<CRYPTO_BUFFER>(
-          CRYPTO_BUFFER_new(reinterpret_cast<const uint8_t*>(der.data()),
-                            der.size(), x509_util::GetBufferPool())),
+      bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
+          reinterpret_cast<const uint8_t*>(der.data()), der.size(), nullptr)),
      {}, &errors);
 }

@ -1014,19 +1014,20 @@ bool CreateOCSPRequest(const ParsedCertificate* cert,
 //
 //    GET {url}/{url-encoding of base-64 encoding of the DER encoding of
 //    the OCSPRequest}
-URL CreateOCSPGetURL(const ParsedCertificate* cert,
+std::optional<std::string> CreateOCSPGetURL(
+    const ParsedCertificate* cert,
    const ParsedCertificate* issuer,
    std::string_view ocsp_responder_url) {
  std::vector<uint8_t> ocsp_request_der;
  if (!CreateOCSPRequest(cert, issuer, &ocsp_request_der)) {
    // Unexpected (means BoringSSL failed an operation).
-    return URL();
+    return std::nullopt;
  }

  // Base64 encode the request data.
  size_t len;
  if (!EVP_EncodedLength(&len, ocsp_request_der.size())) {
-    return URL();
+    return std::nullopt;
  }
  std::vector<uint8_t> encoded(len);
  len = EVP_EncodeBlock(encoded.data(), ocsp_request_der.data(),
@ -1044,7 +1045,7 @@ URL CreateOCSPGetURL(const ParsedCertificate* cert,

  // No attempt is made to collapse double slashes for URLs that end in slash,
  // since the spec doesn't do that.
-  return URL(std::string(ocsp_responder_url) + "/" + b64_encoded);
+  return std::string(ocsp_responder_url) + "/" + b64_encoded;
 }

 }  // namespace net
--- a/pki/ocsp.h
+++ b/pki/ocsp.h
@ -6,21 +6,18 @@
 #define BSSL_PKI_OCSP_H_

 #include "fillins/openssl_util.h"
-#include "webutil/url/url.h"
 #include <memory>
+#include <string>
 #include <vector>


 #include "ocsp_revocation_status.h"
 #include "ocsp_verify_result.h"
-#include "parse_certificate.h"
 #include "signature_algorithm.h"
 #include "input.h"
 #include "parse_values.h"
 #include "parser.h"
-#include "tag.h"
-
-class URL;
+#include <optional>

 namespace bssl {

@ -315,7 +312,8 @@ OPENSSL_EXPORT bool CreateOCSPRequest(const ParsedCertificate* cert,
                                  std::vector<uint8_t>* request_der);

 // Creates a URL to issue a GET request for OCSP information for |cert|.
-OPENSSL_EXPORT URL CreateOCSPGetURL(const ParsedCertificate* cert,
+OPENSSL_EXPORT std::optional<std::string> CreateOCSPGetURL(
+    const ParsedCertificate* cert,
    const ParsedCertificate* issuer,
    std::string_view ocsp_responder_url);

--- a/pki/ocsp_unittest.cc
+++ b/pki/ocsp_unittest.cc
@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-#include "webutil/url/url.h"
 #include "ocsp.h"

 #include "string_util.h"
@ -11,7 +10,6 @@
 #include <gtest/gtest.h>
 #include <openssl/base64.h>
 #include <openssl/pool.h>
-#include "webutil/url/url.h"

 namespace bssl {

@ -214,13 +212,15 @@ TEST_P(CreateOCSPGetURLTest, Basic) {
  std::shared_ptr<const ParsedCertificate> issuer = ParseCertificate(ca_data);
  ASSERT_TRUE(issuer);

-  URL url = CreateOCSPGetURL(cert.get(), issuer.get(), GetParam());
+  std::optional<std::string> url =
+      CreateOCSPGetURL(cert.get(), issuer.get(), GetParam());
+  ASSERT_TRUE(url);

  // Try to extract the encoded data and compare against |request_data|.
  //
  // A known answer output test would be better as this just reverses the logic
  // from the implementation file.
-  std::string b64 = url.spec().substr(GetParam().size() + 1);
+  std::string b64 = url->substr(GetParam().size() + 1);

  // Hex un-escape the data.
  b64 = bssl::string_util::FindAndReplace(b64, "%2B", "+");