Commit 1c34275e61 for openssl.org
commit 1c34275e6112b8af8a5897cb31bbc7de180ba464
Author: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Mon Aug 23 10:33:27 2021 +0200
X509V3_set_nconf(): Improve error handling using this function, mostly in apps/
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16998)
diff --git a/apps/ca.c b/apps/ca.c
index 5f5029f7ad..7c4af7551b 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -869,11 +869,8 @@ end_of_options:
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
- X509V3_set_nconf(&ctx, extfile_conf);
- if (!X509V3_EXT_add_nconf(extfile_conf, &ctx, extensions, NULL)) {
- BIO_printf(bio_err,
- "Error checking certificate extensions from extfile section %s\n",
- extensions);
+ if (!do_EXT_add_nconf(extfile_conf, extfile_conf, &ctx, NULL,
+ "Error checking certificate extensions from extfile section %s\n", extensions)) {
ret = 1;
goto end;
}
@@ -889,11 +886,8 @@ end_of_options:
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
- X509V3_set_nconf(&ctx, conf);
- if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) {
- BIO_printf(bio_err,
- "Error checking certificate extension config section %s\n",
- extensions);
+ if (!do_EXT_add_nconf(conf, conf, &ctx, NULL,
+ "Error checking certificate extension config section %s\n", extensions)) {
ret = 1;
goto end;
}
@@ -1150,10 +1144,8 @@ end_of_options:
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
- X509V3_set_nconf(&ctx, conf);
- if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
- BIO_printf(bio_err,
- "Error checking CRL extension section %s\n", crl_ext);
+ if (!do_EXT_add_nconf(conf, conf, &ctx, NULL,
+ "Error checking CRL extension section %s\n", crl_ext)) {
ret = 1;
goto end;
}
@@ -1242,12 +1234,11 @@ end_of_options:
X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
X509V3_set_nconf(&crlctx, conf);
- if (crl_ext != NULL)
- if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) {
- BIO_printf(bio_err,
- "Error adding CRL extensions from section %s\n", crl_ext);
- goto end;
- }
+ if (crl_ext != NULL && !X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) {
+ BIO_printf(bio_err,
+ "Error adding CRL extensions from section %s\n", crl_ext);
+ goto end;
+ }
if (crlnumberfile != NULL) {
tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
if (!tmpser)
@@ -1710,28 +1701,18 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
BIO_puts(bio_err, "Extra configuration file found\n");
/* Use the extfile_conf configuration db LHASH */
- X509V3_set_nconf(&ext_ctx, extfile_conf);
-
/* Adds exts contained in the configuration file */
- if (!X509V3_EXT_add_nconf(extfile_conf, &ext_ctx, ext_sect, ret)) {
- BIO_printf(bio_err,
- "Error adding certificate extensions from extfile section %s\n",
- ext_sect);
+ if (!do_EXT_add_nconf(extfile_conf, extfile_conf, &ext_ctx, ret,
+ "Error adding certificate extensions from extfile section %s\n", ext_sect))
goto end;
- }
if (verbose)
BIO_puts(bio_err,
"Successfully added extensions from file.\n");
} else if (ext_sect) {
/* We found extensions to be set from config file */
- X509V3_set_nconf(&ext_ctx, lconf);
-
- if (!X509V3_EXT_add_nconf(lconf, &ext_ctx, ext_sect, ret)) {
- BIO_printf(bio_err,
- "Error adding certificate extensions from config section %s\n",
- ext_sect);
+ if (!do_EXT_add_nconf(lconf, lconf, &ext_ctx, ret,
+ "Error adding certificate extensions from config section %s\n", ext_sect))
goto end;
- }
if (verbose)
BIO_puts(bio_err,
diff --git a/apps/include/apps.h b/apps/include/apps.h
index feeb9d7f41..e9b1b6538e 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -275,6 +275,10 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
const char *algname, int do_param,
OSSL_LIB_CTX *libctx, const char *propq);
int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey);
+int do_EXT_add_nconf(CONF *conf1, CONF *conf2, X509V3_CTX *ctx,
+ X509 *cert, const char *msg, const char *sect);
+int do_EXT_REQ_add_nconf(CONF *conf1, CONF *conf2, X509V3_CTX *ctx,
+ X509_REQ *req, const char *msg, const char *sect);
int do_X509_sign(X509 *x, int force_v1, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 2ae56e2c15..db88026fa0 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2386,6 +2386,26 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
&& do_pkey_ctx_init(pkctx, sigopts);
}
+int do_EXT_add_nconf(CONF *conf1, CONF *conf2, X509V3_CTX *ctx,
+ X509 *cert, const char *msg, const char *sect)
+{
+ X509V3_set_nconf(ctx, conf1);
+ if (X509V3_EXT_add_nconf(conf2, ctx, sect != NULL ? sect : "default", cert))
+ return 1;
+ BIO_printf(bio_err, msg, sect);
+ return 0;
+}
+
+int do_EXT_REQ_add_nconf(CONF *conf1, CONF *conf2, X509V3_CTX *ctx,
+ X509_REQ *req, const char *msg, const char *sect)
+{
+ X509V3_set_nconf(ctx, conf1);
+ if (X509V3_EXT_REQ_add_nconf(conf2, ctx, sect, req))
+ return 1;
+ BIO_printf(bio_err, msg, sect);
+ return 0;
+}
+
static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx,
const char *name, const char *value, int add_default)
{
diff --git a/apps/req.c b/apps/req.c
index 144838e295..893abe320a 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -601,24 +601,21 @@ int req_main(int argc, char **argv)
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
- X509V3_set_nconf(&ctx, req_conf);
- if (!X509V3_EXT_add_nconf(req_conf, &ctx, extsect, NULL)) {
- BIO_printf(bio_err,
- "Error checking %s extension section %s\n",
- gen_x509 ? "x509" : "request", extsect);
+ if (!do_EXT_add_nconf(req_conf, req_conf, &ctx, NULL,
+ !gen_x509
+ ? "Error checking request extension section %s\n"
+ : "Error checking x509 extension section %s\n",
+ extsect))
goto end;
- }
}
if (addext_conf != NULL) {
/* Check syntax of command line extensions */
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
- X509V3_set_nconf(&ctx, req_conf);
- if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
- BIO_puts(bio_err, "Error checking extensions defined using -addext\n");
+ if (!do_EXT_add_nconf(req_conf, addext_conf, &ctx, NULL,
+ "Error checking x509 extensions defined via -addext\n", NULL))
goto end;
- }
}
if (passin == NULL)
@@ -871,21 +868,16 @@ int req_main(int argc, char **argv)
BIO_puts(bio_err,
"Warning: Signature key and public key of cert do not match\n");
}
- X509V3_set_nconf(&ext_ctx, req_conf);
/* Add extensions */
if (extsect != NULL
- && !X509V3_EXT_add_nconf(req_conf, &ext_ctx, extsect, new_x509)) {
- BIO_printf(bio_err, "Error adding x509 extensions from section %s\n",
- extsect);
+ && !do_EXT_add_nconf(req_conf, req_conf, &ext_ctx, new_x509,
+ "Error adding x509 extensions from section %s\n", extsect))
goto end;
- }
if (addext_conf != NULL
- && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default",
- new_x509)) {
- BIO_puts(bio_err, "Error adding x509 extensions defined via -addext\n");
+ && !do_EXT_add_nconf(addext_conf, addext_conf, &ext_ctx, new_x509,
+ "Error adding x509 extensions defined via -addext\n", NULL))
goto end;
- }
/* If a pre-cert was requested, we need to add a poison extension */
if (precert) {
@@ -910,21 +902,16 @@ int req_main(int argc, char **argv)
}
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, X509V3_CTX_REPLACE);
- X509V3_set_nconf(&ext_ctx, req_conf);
/* Add extensions */
if (extsect != NULL
- && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx, extsect, req)) {
- BIO_printf(bio_err, "Error adding request extensions from section %s\n",
- extsect);
+ && !do_EXT_REQ_add_nconf(req_conf, req_conf, &ext_ctx, req,
+ "Error adding request extensions from section %s\n", extsect))
goto end;
- }
if (addext_conf != NULL
- && !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default",
- req)) {
- BIO_puts(bio_err, "Error adding request extensions defined via -addext\n");
+ && !do_EXT_REQ_add_nconf(req_conf, addext_conf, &ext_ctx, req,
+ "Error adding request extensions defined via -addext\n", "default"))
goto end;
- }
i = do_X509_REQ_sign(req, pkey, digest, sigopts);
if (!i)
goto end;
diff --git a/apps/x509.c b/apps/x509.c
index 064843675c..b90cafd75f 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -781,12 +781,9 @@ int x509_main(int argc, char **argv)
extsect = "default";
}
X509V3_set_ctx_test(&ctx2);
- X509V3_set_nconf(&ctx2, extconf);
- if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
- BIO_printf(bio_err,
- "Error checking extension section %s\n", extsect);
+ if (!do_EXT_add_nconf(extconf, extconf, &ctx2, NULL,
+ "Error checking extension section %s\n", extsect))
goto err;
- }
}
if (multi && (reqfile || newcert)) {
@@ -950,14 +947,10 @@ cert_loop:
if (!X509V3_set_issuer_pkey(&ext_ctx, privkey))
goto err;
}
- if (extconf != NULL && !x509toreq) {
- X509V3_set_nconf(&ext_ctx, extconf);
- if (!X509V3_EXT_add_nconf(extconf, &ext_ctx, extsect, x)) {
- BIO_printf(bio_err,
- "Error adding extensions from section %s\n", extsect);
- goto err;
- }
- }
+ if (extconf != NULL && !x509toreq
+ && !do_EXT_add_nconf(extconf, extconf, &ext_ctx, x,
+ "Error adding extensions from section %s\n", extsect))
+ goto err;
/* At this point the contents of the certificate x have been finished. */
@@ -978,14 +971,10 @@ cert_loop:
}
if ((rq = x509_to_req(x, ext_copy, ext_names)) == NULL)
goto err;
- if (extconf != NULL) {
- X509V3_set_nconf(&ext_ctx, extconf);
- if (!X509V3_EXT_REQ_add_nconf(extconf, &ext_ctx, extsect, rq)) {
- BIO_printf(bio_err,
- "Error adding request extensions from section %s\n", extsect);
- goto err;
- }
- }
+ if (extconf != NULL
+ && !do_EXT_REQ_add_nconf(extconf, extconf, &ext_ctx, rq,
+ "Error adding request extensions from section %s\n", extsect))
+ goto err;
if (!do_X509_REQ_sign(rq, privkey, digest, sigopts))
goto err;
if (!noout) {
diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c
index 3fb4f092f3..9ccda06732 100644
--- a/crypto/x509/v3_conf.c
+++ b/crypto/x509/v3_conf.c
@@ -446,10 +446,8 @@ static X509V3_CONF_METHOD nconf_method = {
void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
{
- if (ctx == NULL) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER);
+ if (ctx == NULL)
return;
- }
ctx->db_meth = &nconf_method;
ctx->db = conf;
}