Don't use |X509| objects in |CERT|, by default.
This change converts the |CERT| struct to holding certificates as binary
blobs, rather than in parsed form. The members for holding the parsed
form are still there, however, but are only used as a cache for the
event that someone asks us for a non-owning pointer to the parsed leaf
or chain.
Next steps:
* Move more functions in to ssl_x509.c
* Create an X509_OPS struct of function pointers that will hang off
the |SSL_METHOD| to abstract out the current calls to crypto/x509
operations.
BUG=chromium:671420
Change-Id: Ifa05d88c49a987fd561b349705c9c48f106ec868
Reviewed-on: https://boringssl-review.googlesource.com/13280
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 101ee4d..a60caf0 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1272,34 +1272,12 @@
/* Fix this so it checks all the valid key/cert options */
int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
- if (ctx->cert->privatekey == NULL) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
- return 0;
- }
-
- X509 *x509 = ctx->cert->x509_leaf;
- if (x509 == NULL) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
- return 0;
- }
-
- return X509_check_private_key(x509, ctx->cert->privatekey);
+ return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey);
}
/* Fix this function so that it takes an optional type parameter */
int SSL_check_private_key(const SSL *ssl) {
- if (ssl->cert->privatekey == NULL) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
- return 0;
- }
-
- X509 *x509 = ssl->cert->x509_leaf;
- if (x509 == NULL) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
- return 0;
- }
-
- return X509_check_private_key(x509, ssl->cert->privatekey);
+ return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey);
}
long SSL_get_default_timeout(const SSL *ssl) {