Fix more certificate related lib_ctx settings.

Fixes #13732

Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.

Added X509_CRL_new_ex().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14752)

apps/ca.c

@@ -1178,7 +1178,7 @@ end_of_options:
 
         if (verbose)
             BIO_printf(bio_err, "making CRL\n");
-        if ((crl = X509_CRL_new()) == NULL)
+        if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
             goto end;
         if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
             goto end;

apps/ocsp.c

@@ -469,7 +469,8 @@ int ocsp_main(int argc, char **argv)
         case OPT_RSIGOPT:
             if (rsign_sigopts == NULL)
                 rsign_sigopts = sk_OPENSSL_STRING_new_null();
-            if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
+            if (rsign_sigopts == NULL
+                || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
                 goto end;
             break;
         case OPT_HEADER:
@@ -676,8 +677,8 @@ redo_accept:
         if (key == NULL)
             goto end;
 
-        if (!OCSP_request_sign
+        if (!OCSP_request_sign(req, signer, key, NULL,
-            (req, signer, key, NULL, sign_other, sign_flags)) {
+                               sign_other, sign_flags)) {
             BIO_printf(bio_err, "Error signing OCSP request\n");
             goto end;
         }
@@ -696,8 +697,8 @@ redo_accept:
 
     if (rdb != NULL) {
         make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey,
-                           rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig,
+                           rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
-                           resp_certid_md);
+                           badsig, resp_certid_md);
         if (cbio != NULL)
             send_ocsp_response(cbio, resp);
     } else if (host != NULL) {

apps/req.c

@@ -802,7 +802,7 @@ int req_main(int argc, char **argv)
         }
 
         if (req == NULL) {
-            req = X509_REQ_new();
+            req = X509_REQ_new_ex(app_get0_libctx(), app_get0_propq());
             if (req == NULL) {
                 goto end;
             }

crypto/asn1/a_sign.c

@@ -136,6 +136,7 @@ int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1,
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;
     }
+    /* We can use the non _ex variant here since the pkey is already setup */
     if (!EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))
         goto err;
 

crypto/ocsp/ocsp_cl.c

@@ -94,7 +94,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
                       OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
             goto err;
         }
-        if (!OCSP_REQUEST_sign(req, key, dgst))
+        if (!OCSP_REQUEST_sign(req, key, dgst, signer->libctx, signer->propq))
             goto err;
     }
 

crypto/ocsp/ocsp_local.h

@@ -217,22 +217,30 @@ struct ocsp_service_locator_st {
     STACK_OF(ACCESS_DESCRIPTION) *locator;
 };
 
-#  define OCSP_REQUEST_sign(o,pkey,md) \
+#  define OCSP_REQUEST_sign(o, pkey, md, libctx, propq)\
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
+        ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
-                &(o)->optionalSignature->signatureAlgorithm,NULL,\
+                          &(o)->optionalSignature->signatureAlgorithm, NULL,\
-                (o)->optionalSignature->signature,&(o)->tbsRequest,pkey,md)
+                         (o)->optionalSignature->signature, &(o)->tbsRequest,\
+                         NULL, pkey, md, libctx, propq)
 
-#  define OCSP_BASICRESP_sign(o,pkey,md,d) \
+#  define OCSP_BASICRESP_sign(o, pkey, md, d, libctx, propq)\
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
+        ASN1_item_sign_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
-                NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)
+                          &(o)->signatureAlgorithm, NULL,\
+                          (o)->signature, &(o)->tbsResponseData,\
+                          NULL, pkey, md, libctx, propq)
 
-#  define OCSP_BASICRESP_sign_ctx(o,ctx,d) \
+#  define OCSP_BASICRESP_sign_ctx(o, ctx, d)\
-        ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\
+        ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),\
-                NULL,(o)->signature,&(o)->tbsResponseData,ctx)
+                           &(o)->signatureAlgorithm, NULL,\
+                           (o)->signature, &(o)->tbsResponseData, ctx)
 
-#  define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
+#  define OCSP_REQUEST_verify(a, r, libctx, propq)\
-        &(a)->optionalSignature->signatureAlgorithm,\
+        ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_REQINFO),\
-        (a)->optionalSignature->signature,&(a)->tbsRequest,r)
+                            &(a)->optionalSignature->signatureAlgorithm,\
+                            (a)->optionalSignature->signature, &(a)->tbsRequest,\
+                            NULL, r, libctx, propq)
 
-#  define OCSP_BASICRESP_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+#  define OCSP_BASICRESP_verify(a, r, libctx, propq)\
-        &(a)->signatureAlgorithm,(a)->signature,&(a)->tbsResponseData,r)
+        ASN1_item_verify_ex(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+                            &(a)->signatureAlgorithm, (a)->signature,\
+                            &(a)->tbsResponseData, NULL, r, libctx, propq)

crypto/ocsp/ocsp_srv.c

@@ -223,7 +223,8 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
     if (ctx == NULL)
         return 0;
 
-    if (!EVP_DigestSignInit(ctx, &pkctx, dgst, NULL, key)) {
+    if (!EVP_DigestSignInit_ex(ctx, &pkctx, EVP_MD_name(dgst),
+                               signer->libctx, signer->propq, key, NULL)) {
         EVP_MD_CTX_free(ctx);
         return 0;
     }
@@ -277,7 +278,7 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
 
 int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
 {
-    return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL);
+    return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
 }
 
 int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
@@ -318,5 +319,5 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
 
 int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
 {
-    return OCSP_RESPID_match_ex(respid, cert, NULL, NULL);
+    return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
 }

crypto/ocsp/ocsp_vfy.c

@@ -84,9 +84,9 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
             return -1;
         }
         if (req != NULL)
-            ret = OCSP_REQUEST_verify(req, skey);
+            ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq);
         else
-            ret = OCSP_BASICRESP_verify(bs, skey);
+            ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq);
         if (ret <= 0)
             ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE);
     }

crypto/x509/x509_vfy.c

@@ -2052,7 +2052,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
         return NULL;
     }
     /* Create new CRL */
-    crl = X509_CRL_new();
+    crl = X509_CRL_new_ex(base->libctx, base->propq);
     if (crl == NULL || !X509_CRL_set_version(crl, 1))
         goto memerr;
     /* Set issuer name */

crypto/x509/x_all.c

@@ -59,8 +59,9 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     x->cert_info.enc.modified = 1;
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
-                          &x->sig_alg, &x->signature, &x->cert_info, pkey, md);
+                             &x->sig_alg, &x->signature, &x->cert_info, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
@@ -89,8 +90,9 @@ X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
 
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
-                          x->signature, &x->req_info, pkey, md);
+                             x->signature, &x->req_info, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
@@ -103,8 +105,9 @@ int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     x->crl.enc.modified = 1;
-    return ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
-                          &x->sig_alg, &x->signature, &x->crl, pkey, md);
+                             &x->sig_alg, &x->signature, &x->crl, NULL,
+                             pkey, md, x->libctx, x->propq);
 }
 
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
@@ -123,8 +126,8 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
 
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
-                          x->signature, x->spkac, pkey, md);
+                          x->signature, x->spkac, NULL, pkey, md, NULL, NULL);
 }
 
 #ifndef OPENSSL_NO_STDIO

crypto/x509/x_crl.c

@@ -340,6 +340,18 @@ static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
                             (ASN1_STRING *)&(*b)->serialNumber));
 }
 
+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
+{
+    X509_CRL *crl = NULL;
+
+    crl = (X509_CRL *)ASN1_item_new((X509_CRL_it()));
+    if (!ossl_x509_crl_set0_libctx(crl, libctx, propq)) {
+        X509_CRL_free(crl);
+        crl = NULL;
+    }
+    return crl;
+}
+
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
     X509_CRL_INFO *inf;
@@ -381,8 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
 
 static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
 {
-    return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
+    return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
-                             &crl->sig_alg, &crl->signature, &crl->crl, r));
+                                &crl->sig_alg, &crl->signature, &crl->crl, NULL,
+                                r, crl->libctx, crl->propq));
 }
 
 static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,

doc/man3/X509_dup.pod

@@ -274,6 +274,7 @@ X509_CRL_INFO_free,
 X509_CRL_INFO_new,
 X509_CRL_dup,
 X509_CRL_free,
+X509_CRL_new_ex,
 X509_CRL_new,
 X509_EXTENSION_dup,
 X509_EXTENSION_free,
@@ -349,7 +350,8 @@ The object returned must be released by calling B<I<TYPE>_free>().
 
 B<I<TYPE>_new_ex>() is similiar to B<I<TYPE>_new>() but also passes the
 library context I<libctx> and the property query I<propq> to use when retrieving
-algorithms from providers.
+algorithms from providers. This created object can then be used when loading
+binary data using B<d2i_I<TYPE>>().
 
 B<I<TYPE>_dup>() copies an existing object, leaving it untouched.
 
@@ -371,8 +373,8 @@ B<I<TYPE>_print_ctx>() returns 1 on success or zero on failure.
 
 =head1 HISTORY
 
-The functions PKCS7_new_ex() and CMS_ContentInfo_new_ex() were
+The functions X509_REQ_new_ex(), X509_CRL_new_ex(), PKCS7_new_ex() and
-added in OpenSSL 3.0.
+CMS_ContentInfo_new_ex() were added in OpenSSL 3.0.
 
 The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were
 deprecated in 3.0.

doc/man3/X509_new.pod

@@ -25,7 +25,8 @@ X509_new_ex() allocates and initializes a X509 structure with a
 library context of I<libctx>, property query of <propq> and a reference
 count of B<1>. Many X509 functions such as X509_check_purpose(), and
 X509_verify() use this library context to select which providers supply the
-fetched algorithms (SHA1 is used internally).
+fetched algorithms (SHA1 is used internally). This created X509 object can then
+be used when loading binary data using d2i_X509().
 
 X509_new() is similar to X509_new_ex() but sets the library context
 and property query to NULL. This results in the default (NULL) library context

include/openssl/x509.h.in

@@ -642,6 +642,7 @@ STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x);
 DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
 DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
 DECLARE_ASN1_FUNCTIONS(X509_CRL)
+X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
 
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 int X509_CRL_get0_by_serial(X509_CRL *crl,

util/libcrypto.num

@@ -5347,3 +5347,4 @@ EVP_ASYM_CIPHER_description             ?	3_0_0	EXIST::FUNCTION:
 EVP_KEM_description                     ?	3_0_0	EXIST::FUNCTION:
 EVP_KEYEXCH_description                 ?	3_0_0	EXIST::FUNCTION:
 EVP_KDF_description                     ?	3_0_0	EXIST::FUNCTION:
+X509_CRL_new_ex                         ?	3_0_0	EXIST::FUNCTION: