Commit 0e76014e authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Drop cached certificate signature validity flag 



It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers.  Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.

Reviewed-by: default avatarDr. Stephen Henson <steve@openssl.org>
parent 86334b6a

crypto/include/internal/x509_int.h

+0 −1
Original line number Diff line number Diff line
@@ -192,7 +192,6 @@ struct x509_st { 
    X509_CINF cert_info;

    X509_ALGOR sig_alg;

    ASN1_BIT_STRING signature;

    int valid;

    int references;

    char *name;

    CRYPTO_EX_DATA ex_data;

crypto/x509/x509_vfy.c

+1 −5
Original line number Diff line number Diff line
@@ -1618,9 +1618,7 @@ static int internal_verify(X509_STORE_CTX *ctx) 
         * explicitly asked for. It doesn't add any security and just wastes

         * time.

         */

        if (!xs->valid

            && (xs != xi

                || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {

        if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {

            if ((pkey = X509_get0_pubkey(xi)) == NULL) {

                ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;

                ctx->current_cert = xi;
@@ -1636,8 +1634,6 @@ static int internal_verify(X509_STORE_CTX *ctx) 
            }

        }



        xs->valid = 1;



 check_cert:

        ok = x509_check_cert_time(ctx, xs, 0);

        if (!ok)

crypto/x509/x_x509.c

+0 −1
Original line number Diff line number Diff line
@@ -90,7 +90,6 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, 
    switch (operation) {



    case ASN1_OP_NEW_POST:

        ret->valid = 0;

        ret->name = NULL;

        ret->ex_flags = 0;

        ret->ex_pathlen = -1;