Remove X509_CRL_diff
Update-Note: Removed an unused function. This has no callers and is only
useful to create delta CRLs, which are similarly unused and being
removed.
Bug: 601
Change-Id: I22abf36e723d19b9759bcabf28fddf7f2ffe7379
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63928
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3c90fe8..f5e7733 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1810,117 +1810,6 @@
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
-// Make a delta CRL as the diff between two full CRLs
-
-X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey,
- const EVP_MD *md, unsigned int flags) {
- X509_CRL *crl = NULL;
- int i;
- size_t j;
- STACK_OF(X509_REVOKED) *revs = NULL;
- // CRLs can't be delta already
- if (base->base_crl_number || newer->base_crl_number) {
- OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
- return NULL;
- }
- // Base and new CRL must have a CRL number
- if (!base->crl_number || !newer->crl_number) {
- OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
- return NULL;
- }
- // Issuer names must match
- if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
- OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
- return NULL;
- }
- // AKID and IDP must match
- if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
- OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
- return NULL;
- }
- if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
- OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
- return NULL;
- }
- // Newer CRL number must exceed full CRL number
- if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
- OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
- return NULL;
- }
- // CRLs must verify
- if (skey &&
- (X509_CRL_verify(base, skey) <= 0 || X509_CRL_verify(newer, skey) <= 0)) {
- OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
- return NULL;
- }
- // Create new CRL
- crl = X509_CRL_new();
- if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) {
- goto memerr;
- }
- // Set issuer name
- if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) {
- goto memerr;
- }
-
- if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) {
- goto memerr;
- }
- if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) {
- goto memerr;
- }
-
- // Set base CRL number: must be critical
-
- if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) {
- goto memerr;
- }
-
- // Copy extensions across from newest CRL to delta: this will set CRL
- // number to correct value too.
-
- for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
- const X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
- if (!X509_CRL_add_ext(crl, ext, -1)) {
- goto memerr;
- }
- }
-
- // Go through revoked entries, copying as needed
-
- revs = X509_CRL_get_REVOKED(newer);
-
- for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
- X509_REVOKED *rvn, *rvtmp;
- rvn = sk_X509_REVOKED_value(revs, j);
- // Add only if not also in base. TODO: need something cleverer here
- // for some more complex CRLs covering multiple CAs.
- if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
- rvtmp = X509_REVOKED_dup(rvn);
- if (!rvtmp) {
- goto memerr;
- }
- if (!X509_CRL_add0_revoked(crl, rvtmp)) {
- X509_REVOKED_free(rvtmp);
- goto memerr;
- }
- }
- }
- // TODO: optionally prune deleted entries
-
- if (skey && md && !X509_CRL_sign(crl, skey, md)) {
- goto memerr;
- }
-
- return crl;
-
-memerr:
- if (crl) {
- X509_CRL_free(crl);
- }
- return NULL;
-}
-
int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_unused *unused,
CRYPTO_EX_dup *dup_unused,
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 4b75f41..6c34f41 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -2560,10 +2560,6 @@
ASN1_BIT_STRING *signature, void *asn,
EVP_MD_CTX *ctx);
-OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
- EVP_PKEY *skey, const EVP_MD *md,
- unsigned int flags);
-
OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey);