diff options
author | David Benjamin <davidben@google.com> | 2023-12-26 07:58:45 -0500 |
---|---|---|
committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2024-02-15 04:05:02 +0000 |
commit | 1b08502fe2f9ffa82d2fcaa3bec39eda0bf83e83 (patch) | |
tree | b04715a3f08f7fa78535d43f710f24c45e9f7a1e | |
parent | 5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac (diff) | |
download | boringssl-1b08502fe2f9ffa82d2fcaa3bec39eda0bf83e83.zip boringssl-1b08502fe2f9ffa82d2fcaa3bec39eda0bf83e83.tar.gz boringssl-1b08502fe2f9ffa82d2fcaa3bec39eda0bf83e83.tar.bz2 |
Unexport most of X509_TRUST and X509_PURPOSE and simplify
X509_PURPOSE can't be fully trimmed because rust-openssl uses a few APIs
to look up purposes by string.
Change-Id: I39e3cec4d8b01ecf7dec1f368fabea4a82eff8e9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65788
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
-rw-r--r-- | crypto/x509/internal.h | 7 | ||||
-rw-r--r-- | crypto/x509/v3_purp.c | 56 | ||||
-rw-r--r-- | crypto/x509/x509_test.cc | 9 | ||||
-rw-r--r-- | crypto/x509/x509_trs.c | 52 | ||||
-rw-r--r-- | include/openssl/base.h | 2 | ||||
-rw-r--r-- | include/openssl/x509.h | 49 |
6 files changed, 70 insertions, 105 deletions
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h index 422e51c..d35c7f5 100644 --- a/crypto/x509/internal.h +++ b/crypto/x509/internal.h @@ -588,6 +588,13 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, // |X509_NAME| issue is resolved. int X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid); +int X509_TRUST_set(int *t, int trust); +int X509_TRUST_get_by_id(int id); + +int X509_PURPOSE_set(int *p, int purpose); +int X509_PURPOSE_get_by_id(int id); +int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); + #if defined(__cplusplus) } // extern C diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index 8e0548d..fe6cb0f 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -68,6 +68,14 @@ #include "../internal.h" #include "internal.h" + +struct x509_purpose_st { + int purpose; + int trust; // Default trust ID + int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); + const char *sname; +} /* X509_PURPOSE */; + #define V1_ROOT (EXFLAG_V1 | EXFLAG_SS) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) @@ -97,29 +105,24 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); #define X509_TRUST_NONE (-1) static const X509_PURPOSE xstandard[] = { - {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, - check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL}, - {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, - check_purpose_ssl_server, (char *)"SSL server", (char *)"sslserver", NULL}, - {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, - check_purpose_ns_ssl_server, (char *)"Netscape SSL server", - (char *)"nssslserver", NULL}, - {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, - (char *)"S/MIME signing", (char *)"smimesign", NULL}, - {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, - check_purpose_smime_encrypt, (char *)"S/MIME encryption", - (char *)"smimeencrypt", NULL}, - {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, - (char *)"CRL signing", (char *)"crlsign", NULL}, - {X509_PURPOSE_ANY, X509_TRUST_NONE, 0, no_check, (char *)"Any Purpose", - (char *)"any", NULL}, + {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, check_purpose_ssl_client, + "sslclient"}, + {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, check_purpose_ssl_server, + "sslserver"}, + {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, + check_purpose_ns_ssl_server, "nssslserver"}, + {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, check_purpose_smime_sign, + "smimesign"}, + {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, check_purpose_smime_encrypt, + "smimeencrypt"}, + {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, check_purpose_crl_sign, + "crlsign"}, + {X509_PURPOSE_ANY, X509_TRUST_NONE, no_check, "any"}, // |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP // implementation relied on the caller performing EKU and KU checks. - {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, no_check, - (char *)"OCSP helper", (char *)"ocsphelper", NULL}, - {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, - check_purpose_timestamp_sign, (char *)"Time Stamp signing", - (char *)"timestampsign", NULL}, + {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, no_check, "ocsphelper"}, + {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, check_purpose_timestamp_sign, + "timestampsign"}, }; int X509_check_purpose(X509 *x, int id, int ca) { @@ -156,8 +159,6 @@ int X509_PURPOSE_set(int *p, int purpose) { return 1; } -int X509_PURPOSE_get_count(void) { return OPENSSL_ARRAY_SIZE(xstandard); } - const X509_PURPOSE *X509_PURPOSE_get0(int idx) { if (idx < 0 || (size_t)idx >= OPENSSL_ARRAY_SIZE(xstandard)) { return NULL; @@ -166,9 +167,8 @@ const X509_PURPOSE *X509_PURPOSE_get0(int idx) { } int X509_PURPOSE_get_by_sname(const char *sname) { - const X509_PURPOSE *xptmp; - for (int i = 0; i < X509_PURPOSE_get_count(); i++) { - xptmp = X509_PURPOSE_get0(i); + for (int i = 0; i < (int)OPENSSL_ARRAY_SIZE(xstandard); i++) { + const X509_PURPOSE *xptmp = X509_PURPOSE_get0(i); if (!strcmp(xptmp->sname, sname)) { return i; } @@ -189,10 +189,6 @@ int X509_PURPOSE_get_by_id(int purpose) { int X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; } -char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp) { return xp->name; } - -char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp) { return xp->sname; } - int X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; } int X509_supported_extension(const X509_EXTENSION *ex) { diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc index a3616dc..50fb34c 100644 --- a/crypto/x509/x509_test.cc +++ b/crypto/x509/x509_test.cc @@ -7721,6 +7721,15 @@ TEST(X509Test, Trust) { {intermediate.normal.get()}, {}, /*flags=*/0, set_server_trust)); } +// Test some APIs that rust-openssl uses to look up purposes by name. +TEST(X509Test, PurposeByShortName) { + int idx = X509_PURPOSE_get_by_sname("sslserver"); + ASSERT_NE(idx, -1); + const X509_PURPOSE *purpose = X509_PURPOSE_get0(idx); + ASSERT_TRUE(purpose); + EXPECT_EQ(X509_PURPOSE_get_id(purpose), X509_PURPOSE_SSL_SERVER); +} + TEST(X509Test, CriticalExtension) { bssl::UniquePtr<EVP_PKEY> key = PrivateKeyFromPEM(kP256Key); ASSERT_TRUE(key); diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 907e492..a626c88 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -66,23 +66,28 @@ #include "internal.h" +typedef struct x509_trust_st X509_TRUST; + +struct x509_trust_st { + int trust; + int (*check_trust)(const X509_TRUST *, X509 *, int); + int nid; +} /* X509_TRUST */; + +static const X509_TRUST *X509_TRUST_get0(int idx); + static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags); static int trust_compat(const X509_TRUST *trust, X509 *x, int flags); static int obj_trust(int id, X509 *x, int flags); static const X509_TRUST trstandard[] = { - {X509_TRUST_COMPAT, 0, trust_compat, (char *)"compatible", 0, NULL}, - {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, (char *)"SSL Client", - NID_client_auth, NULL}, - {X509_TRUST_SSL_SERVER, 0, trust_1oidany, (char *)"SSL Server", - NID_server_auth, NULL}, - {X509_TRUST_EMAIL, 0, trust_1oidany, (char *)"S/MIME email", - NID_email_protect, NULL}, - {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, (char *)"Object Signer", - NID_code_sign, NULL}, - {X509_TRUST_TSA, 0, trust_1oidany, (char *)"TSA server", NID_time_stamp, - NULL}}; + {X509_TRUST_COMPAT, trust_compat, 0}, + {X509_TRUST_SSL_CLIENT, trust_1oidany, NID_client_auth}, + {X509_TRUST_SSL_SERVER, trust_1oidany, NID_server_auth}, + {X509_TRUST_EMAIL, trust_1oidany, NID_email_protect}, + {X509_TRUST_OBJECT_SIGN, trust_1oidany, NID_code_sign}, + {X509_TRUST_TSA, trust_1oidany, NID_time_stamp}}; int X509_check_trust(X509 *x, int id, int flags) { if (id == -1) { @@ -104,9 +109,7 @@ int X509_check_trust(X509 *x, int id, int flags) { return pt->check_trust(pt, x, flags); } -int X509_TRUST_get_count(void) { return OPENSSL_ARRAY_SIZE(trstandard); } - -const X509_TRUST *X509_TRUST_get0(int idx) { +static const X509_TRUST *X509_TRUST_get0(int idx) { if (idx < 0 || (size_t)idx >= OPENSSL_ARRAY_SIZE(trstandard)) { return NULL; } @@ -133,15 +136,9 @@ int X509_TRUST_set(int *t, int trust) { return 1; } -int X509_TRUST_get_flags(const X509_TRUST *xp) { return xp->flags; } - -char *X509_TRUST_get0_name(const X509_TRUST *xp) { return xp->name; } - -int X509_TRUST_get_trust(const X509_TRUST *xp) { return xp->trust; } - static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags) { if (x->aux && (x->aux->trust || x->aux->reject)) { - return obj_trust(trust->arg1, x, flags); + return obj_trust(trust->nid, x, flags); } // we don't have any trust settings: for compatibility we return trusted // if it is self signed @@ -160,24 +157,21 @@ static int trust_compat(const X509_TRUST *trust, X509 *x, int flags) { } static int obj_trust(int id, X509 *x, int flags) { - ASN1_OBJECT *obj; - size_t i; - X509_CERT_AUX *ax; - ax = x->aux; + X509_CERT_AUX *ax = x->aux; if (!ax) { return X509_TRUST_UNTRUSTED; } if (ax->reject) { - for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { - obj = sk_ASN1_OBJECT_value(ax->reject, i); + for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { + const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i); if (OBJ_obj2nid(obj) == id) { return X509_TRUST_REJECTED; } } } if (ax->trust) { - for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { - obj = sk_ASN1_OBJECT_value(ax->trust, i); + for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { + const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i); if (OBJ_obj2nid(obj) == id) { return X509_TRUST_TRUSTED; } diff --git a/include/openssl/base.h b/include/openssl/base.h index 98de503..9b72e99 100644 --- a/include/openssl/base.h +++ b/include/openssl/base.h @@ -378,11 +378,11 @@ typedef struct x509_attributes_st X509_ATTRIBUTE; typedef struct x509_lookup_st X509_LOOKUP; typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; typedef struct x509_object_st X509_OBJECT; +typedef struct x509_purpose_st X509_PURPOSE; typedef struct x509_revoked_st X509_REVOKED; typedef struct x509_st X509; typedef struct x509_store_ctx_st X509_STORE_CTX; typedef struct x509_store_st X509_STORE; -typedef struct x509_trust_st X509_TRUST; typedef void *OPENSSL_BLOCK; diff --git a/include/openssl/x509.h b/include/openssl/x509.h index b864809..60d1835 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -655,14 +655,14 @@ OPENSSL_EXPORT const uint8_t *X509_keyid_get0(const X509 *x509, int *out_len); // X509_add1_trust_object configures |x509| as a valid trust anchor for |obj|. // It returns one on success and zero on error. |obj| should be a certificate -// usage OID associated with an |X509_TRUST| object. +// usage OID associated with an |X509_TRUST_*| constant. // // See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. OPENSSL_EXPORT int X509_add1_trust_object(X509 *x509, const ASN1_OBJECT *obj); // X509_add1_reject_object configures |x509| as distrusted for |obj|. It returns // one on success and zero on error. |obj| should be a certificate usage OID -// associated with an |X509_TRUST| object. +// associated with an |X509_TRUST_*| constant. // // See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. OPENSSL_EXPORT int X509_add1_reject_object(X509 *x509, const ASN1_OBJECT *obj); @@ -4331,19 +4331,6 @@ struct X509_algor_st { DECLARE_STACK_OF(DIST_POINT) -// This is used for a table of trust checking functions - -struct x509_trust_st { - int trust; - int flags; - int (*check_trust)(const X509_TRUST *, X509 *, int); - char *name; - int arg1; - void *arg2; -} /* X509_TRUST */; - -DEFINE_STACK_OF(X509_TRUST) - OPENSSL_EXPORT const char *X509_get_default_cert_area(void); OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); OPENSSL_EXPORT const char *X509_get_default_cert_file(void); @@ -4352,8 +4339,6 @@ OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); OPENSSL_EXPORT const char *X509_get_default_private_dir(void); -OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); - OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); // X509_NAME_hash returns a hash of |name|, or zero on error. This is the new @@ -4384,13 +4369,6 @@ OPENSSL_EXPORT uint32_t X509_NAME_hash_old(X509_NAME *name); OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); -OPENSSL_EXPORT int X509_TRUST_get_count(void); -OPENSSL_EXPORT const X509_TRUST *X509_TRUST_get0(int idx); -OPENSSL_EXPORT int X509_TRUST_get_by_id(int id); -OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp); -OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); -OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp); - /* SSL_CTX -> X509_STORE @@ -4682,18 +4660,6 @@ struct ISSUING_DIST_POINT_st { #define NS_OBJSIGN_CA 0x01 #define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) -typedef struct x509_purpose_st { - int purpose; - int trust; // Default trust ID - int flags; - int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); - char *name; - char *sname; - void *usr_data; -} X509_PURPOSE; - -DEFINE_STACK_OF(X509_PURPOSE) - DECLARE_ASN1_FUNCTIONS_const(BASIC_CONSTRAINTS) // TODO(https://crbug.com/boringssl/407): This is not const because it contains @@ -4893,16 +4859,9 @@ OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags); -OPENSSL_EXPORT int X509_PURPOSE_set(int *p, int purpose); - -OPENSSL_EXPORT int X509_PURPOSE_get_count(void); -OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int idx); OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname); -OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id); -OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp); -OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp); -OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); -OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *); +OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int idx); +OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *purpose); #if defined(__cplusplus) |