diff options
author | David Benjamin <davidben@google.com> | 2016-07-21 03:21:48 +0300 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2016-07-21 20:46:15 +0300 |
commit | 00d7a7cee7e4c483cf326e19e32aa9065f33dc0a (patch) | |
tree | 52d5f38c5c5b2b35b7dbebf4945dea5b4a15768b /include | |
parent | 84f855175379f663491d28d89ba00d4a3e64fb7b (diff) |
Drop cached certificate signature validity flag
It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers. Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.
(Imported from upstream's 0e76014e584ba78ef1d6ecb4572391ef61c4fb51.)
This is in master and not 1.0.2, but having a per-certificate signature
cache when this is a function of signature and issuer seems dubious at
best. Thanks to Viktor Dukhovni for pointing this change out to me.
(And for making the original change upstream, of course.)
Change-Id: Ie692d651726f14aeba6eaab03ac918fcaedb4eeb
Reviewed-on: https://boringssl-review.googlesource.com/8880
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/openssl/x509.h | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/include/openssl/x509.h b/include/openssl/x509.h index bbc263e0..d68d8ac9 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -243,7 +243,6 @@ struct x509_st X509_CINF *cert_info; X509_ALGOR *sig_alg; ASN1_BIT_STRING *signature; - int valid; CRYPTO_refcount_t references; char *name; CRYPTO_EX_DATA ex_data; |