embed certificate serial number and signature fields

Reviewed-by: Rich Salz <rsalz@openssl.org>

crypto/include/internal/x509_int.h

@@ -176,7 +176,7 @@ struct x509_cert_aux_st {
 
 struct x509_cinf_st {
     ASN1_INTEGER *version;      /* [ 0 ] default of v1 */
-    ASN1_INTEGER *serialNumber;
+    ASN1_INTEGER serialNumber;
     X509_ALGOR signature;
     X509_NAME *issuer;
     X509_VAL validity;
@@ -191,7 +191,7 @@ struct x509_cinf_st {
 struct x509_st {
     X509_CINF cert_info;
     X509_ALGOR sig_alg;
-    ASN1_BIT_STRING *signature;
+    ASN1_BIT_STRING signature;
     int valid;
     int references;
     char *name;

crypto/x509/t_x509.c

@@ -238,7 +238,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
                                 ci->extensions, cflag, 8);
 
     if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
-        if (X509_signature_print(bp, &x->sig_alg, x->signature) <= 0)
+        if (X509_signature_print(bp, &x->sig_alg, &x->signature) <= 0)
             goto err;
     }
     if (!(cflag & X509_FLAG_NO_AUX)) {

crypto/x509/x509_cmp.c

@@ -72,7 +72,7 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
 
     ai = &a->cert_info;
     bi = &b->cert_info;
-    i = ASN1_INTEGER_cmp(ai->serialNumber, bi->serialNumber);
+    i = ASN1_INTEGER_cmp(&ai->serialNumber, &bi->serialNumber);
     if (i)
         return (i);
     return (X509_NAME_cmp(ai->issuer, bi->issuer));
@@ -94,8 +94,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
         goto err;
     OPENSSL_free(f);
     if (!EVP_DigestUpdate
-        (&ctx, (unsigned char *)a->cert_info.serialNumber->data,
-         (unsigned long)a->cert_info.serialNumber->length))
+        (&ctx, (unsigned char *)a->cert_info.serialNumber.data,
+         (unsigned long)a->cert_info.serialNumber.length))
         goto err;
     if (!EVP_DigestFinal_ex(&ctx, &(md[0]), NULL))
         goto err;
@@ -152,7 +152,7 @@ X509_NAME *X509_get_subject_name(X509 *a)
 
 ASN1_INTEGER *X509_get_serialNumber(X509 *a)
 {
-    return (a->cert_info.serialNumber);
+    return &a->cert_info.serialNumber;
 }
 
 unsigned long X509_subject_name_hash(X509 *x)
@@ -278,7 +278,7 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
     if (!sk)
         return NULL;
 
-    x.cert_info.serialNumber = serial;
+    x.cert_info.serialNumber = *serial;
     x.cert_info.issuer = name;
 
     for (i = 0; i < sk_X509_num(sk); i++) {

crypto/x509/x509_set.c

@@ -85,16 +85,11 @@ int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
     ASN1_INTEGER *in;
 
     if (x == NULL)
-        return (0);
-    in = x->cert_info.serialNumber;
-    if (in != serial) {
-        in = ASN1_INTEGER_dup(serial);
-        if (in != NULL) {
-            ASN1_INTEGER_free(x->cert_info.serialNumber);
-            x->cert_info.serialNumber = in;
-        }
-    }
-    return (in != NULL);
+        return 0;
+    in = &x->cert_info.serialNumber;
+    if (in != serial)
+        return ASN1_STRING_copy(in, serial);
+    return 1;
 }
 
 int X509_set_issuer_name(X509 *x, X509_NAME *name)

crypto/x509/x_all.c

@@ -77,7 +77,7 @@ int X509_verify(X509 *a, EVP_PKEY *r)
     if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature))
         return 0;
     return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg,
-                             a->signature, &a->cert_info, r));
+                             &a->signature, &a->cert_info, r));
 }
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
@@ -96,7 +96,8 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     x->cert_info.enc.modified = 1;
     return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
-                           &x->sig_alg, x->signature, &x->cert_info, pkey, md));
+                           &x->sig_alg, &x->signature, &x->cert_info, pkey,
+                           md));
 }
 
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@@ -104,7 +105,7 @@ int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
     x->cert_info.enc.modified = 1;
     return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
                               &x->cert_info.signature,
-                              &x->sig_alg, x->signature, &x->cert_info, ctx);
+                              &x->sig_alg, &x->signature, &x->cert_info, ctx);
 }
 
 int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)

crypto/x509/x_x509.c

@@ -66,7 +66,7 @@
 
 ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
         ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
-        ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
+        ASN1_EMBED(X509_CINF, serialNumber, ASN1_INTEGER),
         ASN1_EMBED(X509_CINF, signature, X509_ALGOR),
         ASN1_SIMPLE(X509_CINF, issuer, X509_NAME),
         ASN1_EMBED(X509_CINF, validity, X509_VAL),
@@ -135,7 +135,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 ASN1_SEQUENCE_ref(X509, x509_cb, CRYPTO_LOCK_X509) = {
         ASN1_EMBED(X509, cert_info, X509_CINF),
         ASN1_EMBED(X509, sig_alg, X509_ALGOR),
-        ASN1_SIMPLE(X509, signature, ASN1_BIT_STRING)
+        ASN1_EMBED(X509, signature, ASN1_BIT_STRING)
 } ASN1_SEQUENCE_END_ref(X509, X509)
 
 IMPLEMENT_ASN1_FUNCTIONS(X509)
@@ -215,7 +215,7 @@ int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
 void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509 *x)
 {
     if (psig)
-        *psig = x->signature;
+        *psig = &x->signature;
     if (palg)
         *palg = &x->sig_alg;
 }