Google Git
Sign in
boringssl / boringssl.git / 74bab4cf7b9c7c2fd9c37b3eecfa059f1ffc218a^! / .
commit74bab4cf7b9c7c2fd9c37b3eecfa059f1ffc218a[log] [tgz]
authorDavid Benjamin <davidben@google.com>Mon Dec 25 16:51:37 2023 -0500
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Jan 10 20:49:23 2024 +0000
treeeacac60b8276442ebcc25f0b649ce42b85e032ae
parent0beff26c59e67e2e19d173f1bd23241a0e946fd9 [diff]
Remove X509_TRUST_OCSP_SIGN and X509_TRUST_OCSP_REQUEST

These are unused and are the only options that remove the "compat"
self-signed fallback.

X509_TRUST_OCSP_REQUEST was intended for checking signed OCSP requests.
While OpenSSL's OCSP implementation (which we've dropped) does attempt
to configure it, it actually does nothing. They call
X509_STORE_CTX_set_trust after X509_STORE_CTX_set_purpose, but
X509_STORE_CTX_set_purpose already sets the trust parameter and
X509_STORE_CTX_set_trust only acts when trust is not configured.

X509_TRUST_OCSP_SIGN was briefly used in upstream's
30c278aa6bb614f4cfc5a26c7cbe66ad090f6896, by way of
X509_PURPOSE_OCSP_HELPER, but then immediately undone in
e9754726d236b74476cd0be5fa60acfef0c7024f.

Change-Id: I6d2cf9b88a6b013e74fe95cd88f94051111086df
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65151
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 9db4bee..38dc96b 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c

@@ -67,7 +67,6 @@
 
 
 static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags);
-static int trust_1oid(const X509_TRUST *trust, X509 *x, int flags);
 static int trust_compat(const X509_TRUST *trust, X509 *x, int flags);
 
 static int obj_trust(int id, X509 *x, int flags);
@@ -82,10 +81,6 @@
      NID_email_protect, NULL},
     {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, (char *)"Object Signer",
      NID_code_sign, NULL},
-    {X509_TRUST_OCSP_SIGN, 0, trust_1oid, (char *)"OCSP responder",
-     NID_OCSP_sign, NULL},
-    {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, (char *)"OCSP request",
-     NID_ad_OCSP, NULL},
     {X509_TRUST_TSA, 0, trust_1oidany, (char *)"TSA server", NID_time_stamp,
      NULL}};
 
@@ -155,13 +150,6 @@
   return trust_compat(trust, x, flags);
 }
 
-static int trust_1oid(const X509_TRUST *trust, X509 *x, int flags) {
-  if (x->aux) {
-    return obj_trust(trust->arg1, x, flags);
-  }
-  return X509_TRUST_UNTRUSTED;
-}
-
 static int trust_compat(const X509_TRUST *trust, X509 *x, int flags) {
   if (!x509v3_cache_extensions(x)) {
     return X509_TRUST_UNTRUSTED;

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 1757e8e..099d5ef 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h

@@ -3557,8 +3557,6 @@
 #define X509_TRUST_SSL_SERVER 3
 #define X509_TRUST_EMAIL 4
 #define X509_TRUST_OBJECT_SIGN 5
-#define X509_TRUST_OCSP_SIGN 6
-#define X509_TRUST_OCSP_REQUEST 7
 #define X509_TRUST_TSA 8
 
 // check_trust return codes