diff options
author | David Benjamin <davidben@google.com> | 2021-08-11 01:23:09 -0400 |
---|---|---|
committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2021-08-31 14:52:39 +0000 |
commit | dddb60eb9700110835ff6e2b429de40a17006429 (patch) | |
tree | 9acbc5c40ece58124ef5a6ad977d7e123cf4b12e /include | |
parent | 59aff62ca8c5b8f0249beee5a73da970486867ce (diff) | |
download | boringssl-dddb60eb9700110835ff6e2b429de40a17006429.zip boringssl-dddb60eb9700110835ff6e2b429de40a17006429.tar.gz boringssl-dddb60eb9700110835ff6e2b429de40a17006429.tar.bz2 |
Make most of crypto/x509 opaque.
This unexports X509, X509_CINF, X509_NAME_ENTRY, X509_NAME, X509_OBJECT,
X509_LOOKUP_METHOD, X509_STORE, X509_LOOKUP, and X509_STORE_CTX.
Note this means X509_STORE_CTX can no longer be stack-allocated.
Update-Note: Patch cl/390055173 into the roll that includes this. This
unexports most of the X.509 structs, aligning with OpenSSL. Use the
accessor APIs instead.
Bug: 425
Change-Id: I53e915bfae3b8dc4b67642279d0e54dc606f2297
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48985
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/openssl/base.h | 3 | ||||
-rw-r--r-- | include/openssl/x509.h | 61 | ||||
-rw-r--r-- | include/openssl/x509_vfy.h | 126 |
3 files changed, 2 insertions, 188 deletions
diff --git a/include/openssl/base.h b/include/openssl/base.h index ea4366a..dd6a146 100644 --- a/include/openssl/base.h +++ b/include/openssl/base.h @@ -445,9 +445,10 @@ typedef struct trust_token_method_st TRUST_TOKEN_METHOD; typedef struct v3_ext_ctx X509V3_CTX; typedef struct x509_attributes_st X509_ATTRIBUTE; typedef struct x509_cert_aux_st X509_CERT_AUX; -typedef struct x509_cinf_st X509_CINF; typedef struct x509_crl_method_st X509_CRL_METHOD; typedef struct x509_lookup_st X509_LOOKUP; +typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; +typedef struct x509_object_st X509_OBJECT; typedef struct x509_revoked_st X509_REVOKED; typedef struct x509_st X509; typedef struct x509_store_ctx_st X509_STORE_CTX; diff --git a/include/openssl/x509.h b/include/openssl/x509.h index fa333ca..f4444c9 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -121,24 +121,8 @@ DEFINE_STACK_OF(X509_ALGOR) typedef STACK_OF(X509_ALGOR) X509_ALGORS; -struct X509_name_entry_st { - ASN1_OBJECT *object; - ASN1_STRING *value; - int set; -} /* X509_NAME_ENTRY */; - DEFINE_STACK_OF(X509_NAME_ENTRY) -// we always keep X509_NAMEs in 2 forms. -struct X509_name_st { - STACK_OF(X509_NAME_ENTRY) *entries; - int modified; // true if 'bytes' needs to be built - BUF_MEM *bytes; - // unsigned long hash; Keep the hash around for lookups - unsigned char *canon_enc; - int canon_enclen; -} /* X509_NAME */; - DEFINE_STACK_OF(X509_NAME) typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; @@ -147,20 +131,6 @@ DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(X509_ATTRIBUTE) -struct x509_cinf_st { - ASN1_INTEGER *version; // [ 0 ] default of v1 - ASN1_INTEGER *serialNumber; - X509_ALGOR *signature; - X509_NAME *issuer; - X509_VAL *validity; - X509_NAME *subject; - X509_PUBKEY *key; - ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2 - ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2 - STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3 - ASN1_ENCODING enc; -} /* X509_CINF */; - // This stuff is certificate "auxiliary info" // it contains details which are useful in certificate // stores and databases. When used this is tagged onto @@ -169,31 +139,6 @@ struct x509_cinf_st { DECLARE_STACK_OF(DIST_POINT) DECLARE_STACK_OF(GENERAL_NAME) -struct x509_st { - X509_CINF *cert_info; - X509_ALGOR *sig_alg; - ASN1_BIT_STRING *signature; - CRYPTO_refcount_t references; - CRYPTO_EX_DATA ex_data; - // These contain copies of various extension values - long ex_pathlen; - long ex_pcpathlen; - unsigned long ex_flags; - unsigned long ex_kusage; - unsigned long ex_xkusage; - unsigned long ex_nscert; - ASN1_OCTET_STRING *skid; - AUTHORITY_KEYID *akid; - X509_POLICY_CACHE *policy_cache; - STACK_OF(DIST_POINT) *crldp; - STACK_OF(GENERAL_NAME) *altname; - NAME_CONSTRAINTS *nc; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; - X509_CERT_AUX *aux; - CRYPTO_BUFFER *buf; - CRYPTO_MUTEX lock; -} /* X509 */; - DEFINE_STACK_OF(X509) // This is used for a table of trust checking functions @@ -939,8 +884,6 @@ DECLARE_ASN1_FUNCTIONS(X509_NAME) // to the copy, and returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); -DECLARE_ASN1_FUNCTIONS(X509_CINF) - DECLARE_ASN1_FUNCTIONS(X509) DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) @@ -1989,10 +1932,6 @@ BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref) BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free) BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free) -using ScopedX509_STORE_CTX = - internal::StackAllocated<X509_STORE_CTX, void, X509_STORE_CTX_zero, - X509_STORE_CTX_cleanup>; - BSSL_NAMESPACE_END } // extern C++ diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 9b99f4a..d8781af 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -99,39 +99,8 @@ certificate chain. #define X509_LU_CRL 2 #define X509_LU_PKEY 3 -typedef struct x509_object_st { - // one of the above types - int type; - union { - char *ptr; - X509 *x509; - X509_CRL *crl; - EVP_PKEY *pkey; - } data; -} X509_OBJECT; - DEFINE_STACK_OF(X509_LOOKUP) DEFINE_STACK_OF(X509_OBJECT) - -// This is a static that defines the function interface -typedef struct x509_lookup_method_st { - const char *name; - int (*new_item)(X509_LOOKUP *ctx); - void (*free)(X509_LOOKUP *ctx); - int (*init)(X509_LOOKUP *ctx); - int (*shutdown)(X509_LOOKUP *ctx); - int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, - char **ret); - int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, - X509_OBJECT *ret); - int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, - ASN1_INTEGER *serial, X509_OBJECT *ret); - int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, unsigned char *bytes, - int len, X509_OBJECT *ret); - int (*get_by_alias)(X509_LOOKUP *ctx, int type, char *str, int len, - X509_OBJECT *ret); -} X509_LOOKUP_METHOD; - DEFINE_STACK_OF(X509_VERIFY_PARAM) typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); @@ -153,103 +122,8 @@ typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)( X509_STORE_CTX *ctx, X509_NAME *nm); typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); -// This is used to hold everything. It is used for all certificate -// validation. Once we have a certificate chain, the 'verify' -// function is then called to actually check the cert chain. -struct x509_store_st { - // The following is a cache of trusted certs - int cache; // if true, stash any hits - STACK_OF(X509_OBJECT) *objs; // Cache of all objects - CRYPTO_MUTEX objs_lock; - STACK_OF(X509) *additional_untrusted; - - // These are external lookup methods - STACK_OF(X509_LOOKUP) *get_cert_methods; - - X509_VERIFY_PARAM *param; - - // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate - X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; - - CRYPTO_refcount_t references; -} /* X509_STORE */; - OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); -// This is the functions plus an instance of the local variables. -struct x509_lookup_st { - int init; // have we been started - int skip; // don't use us. - X509_LOOKUP_METHOD *method; // the functions - char *method_data; // method data - - X509_STORE *store_ctx; // who owns us -} /* X509_LOOKUP */; - -// This is a used when verifying cert chains. Since the -// gathering of the cert chain can take some time (and have to be -// 'retried', this needs to be kept and passed around. -struct x509_store_ctx_st // X509_STORE_CTX -{ - X509_STORE *ctx; - - // The following are set by the caller - X509 *cert; // The cert to check - STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in - STACK_OF(X509_CRL) *crls; // set of CRLs passed in - - X509_VERIFY_PARAM *param; - void *other_ctx; // Other info for use with get_issuer() - - // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate - X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_check_policy_fn check_policy; - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; - - // The following is built up - int valid; // if 0, rebuild chain - int last_untrusted; // index of last untrusted cert - STACK_OF(X509) *chain; // chain of X509s - built up and trusted - X509_POLICY_TREE *tree; // Valid policy tree - - int explicit_policy; // Require explicit policy value - - // When something goes wrong, this is why - int error_depth; - int error; - X509 *current_cert; - X509 *current_issuer; // cert currently being tested as valid issuer - X509_CRL *current_crl; // current CRL - - int current_crl_score; // score of current CRL - unsigned int current_reasons; // Reason mask - - X509_STORE_CTX *parent; // For CRL path validation: parent context - - CRYPTO_EX_DATA ex_data; -} /* X509_STORE_CTX */; - OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_STORE_CTX_set_app_data(ctx, data) \ |