X509_sign, etc., should return the length of the signature on success

Prior to https://boringssl-review.googlesource.com/c/boringssl/+/58548,
ASN1_item_sign_ctx returned the length of the signature on success. It's
unclear why anyone would ever want this, but some test was sensitive to
it. (I think it was a typo.)

Restore the old behavior.

Change-Id: Ibf3e45331a339226744d51df703634d02b08a7c4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59307
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
This commit is contained in:
David Benjamin 2023-04-25 21:45:00 -04:00 committed by Boringssl LUCI CQ
parent a0afd6ae2c
commit 0c7527bb3a
3 changed files with 34 additions and 28 deletions

View File

@ -126,7 +126,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
out = NULL;
signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
ret = 1;
ret = (int)out_len;
err:
EVP_MD_CTX_cleanup(ctx);

View File

@ -2048,7 +2048,12 @@ TEST(X509Test, SignCertificate) {
ASSERT_TRUE(
X509_set1_signature_value(cert.get(), sig.data(), sig.size()));
} else {
ASSERT_TRUE(X509_sign(cert.get(), pkey.get(), EVP_sha384()));
int ret = X509_sign(cert.get(), pkey.get(), EVP_sha384());
ASSERT_GT(ret, 0);
// |X509_sign| returns the length of the signature on success.
const ASN1_BIT_STRING *sig;
X509_get0_signature(&sig, /*out_alg=*/nullptr, cert.get());
EXPECT_EQ(ret, ASN1_STRING_length(sig));
}
// Check the signature.

View File

@ -348,16 +348,17 @@ OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc);
// X509_sign signs |x509| with |pkey| and replaces the signature algorithm and
// signature fields. It returns one on success and zero on error. This function
// uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing
// parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|.
// signature fields. It returns the length of the signature on success and zero
// on error. This function uses digest algorithm |md|, or |pkey|'s default if
// NULL. Other signing parameters use |pkey|'s defaults. To customize them, use
// |X509_sign_ctx|.
OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md);
// X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm
// and signature fields. It returns one on success and zero on error. The
// signature algorithm and parameters come from |ctx|, which must have been
// initialized with |EVP_DigestSignInit|. The caller should configure the
// corresponding |EVP_PKEY_CTX| before calling this function.
// and signature fields. It returns the length of the signature on success and
// zero on error. The signature algorithm and parameters come from |ctx|, which
// must have been initialized with |EVP_DigestSignInit|. The caller should
// configure the corresponding |EVP_PKEY_CTX| before calling this function.
OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx);
// i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described
@ -634,18 +635,18 @@ OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex,
int loc);
// X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm
// and signature fields. It returns one on success and zero on error. This
// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
// signing parameters use |pkey|'s defaults. To customize them, use
// |X509_CRL_sign_ctx|.
// and signature fields. It returns the length of the signature on success and
// zero on error. This function uses digest algorithm |md|, or |pkey|'s default
// if NULL. Other signing parameters use |pkey|'s defaults. To customize them,
// use |X509_CRL_sign_ctx|.
OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey,
const EVP_MD *md);
// X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm
// and signature fields. It returns one on success and zero on error. The
// signature algorithm and parameters come from |ctx|, which must have been
// initialized with |EVP_DigestSignInit|. The caller should configure the
// corresponding |EVP_PKEY_CTX| before calling this function.
// and signature fields. It returns the length of the signature on success and
// zero on error. The signature algorithm and parameters come from |ctx|, which
// must have been initialized with |EVP_DigestSignInit|. The caller should
// configure the corresponding |EVP_PKEY_CTX| before calling this function.
OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx);
// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described
@ -873,18 +874,18 @@ OPENSSL_EXPORT int X509_REQ_add_extensions(
X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts);
// X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm
// and signature fields. It returns one on success and zero on error. This
// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
// signing parameters use |pkey|'s defaults. To customize them, use
// |X509_REQ_sign_ctx|.
// and signature fields. It returns the length of the signature on success and
// zero on error. This function uses digest algorithm |md|, or |pkey|'s default
// if NULL. Other signing parameters use |pkey|'s defaults. To customize them,
// use |X509_REQ_sign_ctx|.
OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey,
const EVP_MD *md);
// X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm
// and signature fields. It returns one on success and zero on error. The
// signature algorithm and parameters come from |ctx|, which must have been
// initialized with |EVP_DigestSignInit|. The caller should configure the
// corresponding |EVP_PKEY_CTX| before calling this function.
// and signature fields. It returns the length of the signature on success and
// zero on error. The signature algorithm and parameters come from |ctx|, which
// must have been initialized with |EVP_DigestSignInit|. The caller should
// configure the corresponding |EVP_PKEY_CTX| before calling this function.
OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx);
// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986)
@ -2193,9 +2194,9 @@ OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki,
EVP_PKEY *pkey);
// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature
// algorithm and signature fields. It returns one on success and zero on error.
// This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other
// signing parameters use |pkey|'s defaults.
// algorithm and signature fields. It returns the length of the signature on
// success and zero on error. This function uses digest algorithm |md|, or
// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults.
OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
const EVP_MD *md);