commit 827c7ddbc9a1e2eadf13c245ec436e511272d644
author David Benjamin <davidben@google.com> Sun Nov 12 13:37:46 2023 -0500
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Nov 16 18:53:45 2023 +0000
tree 3206036f3b2ccb7f416b8ba48e37f72c2dfe2348
parent 5d1c612a8b66fafabf759e47b36b6244dda8444c

Remove X509_CRL_diff

Update-Note: Removed an unused function. This has no callers and is only
useful to create delta CRLs, which are similarly unused and being
removed.

Bug: 601
Change-Id: I22abf36e723d19b9759bcabf28fddf7f2ffe7379
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63928
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

crypto/x509/x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3c90fe8..f5e7733 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1810,117 +1810,6 @@
   return ASN1_TIME_adj(s, t, offset_day, offset_sec);
 }
 
-// Make a delta CRL as the diff between two full CRLs
-
-X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey,
-                        const EVP_MD *md, unsigned int flags) {
-  X509_CRL *crl = NULL;
-  int i;
-  size_t j;
-  STACK_OF(X509_REVOKED) *revs = NULL;
-  // CRLs can't be delta already
-  if (base->base_crl_number || newer->base_crl_number) {
-    OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
-    return NULL;
-  }
-  // Base and new CRL must have a CRL number
-  if (!base->crl_number || !newer->crl_number) {
-    OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
-    return NULL;
-  }
-  // Issuer names must match
-  if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
-    OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
-    return NULL;
-  }
-  // AKID and IDP must match
-  if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
-    OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
-    return NULL;
-  }
-  if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
-    OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
-    return NULL;
-  }
-  // Newer CRL number must exceed full CRL number
-  if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
-    OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
-    return NULL;
-  }
-  // CRLs must verify
-  if (skey &&
-      (X509_CRL_verify(base, skey) <= 0 || X509_CRL_verify(newer, skey) <= 0)) {
-    OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
-    return NULL;
-  }
-  // Create new CRL
-  crl = X509_CRL_new();
-  if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) {
-    goto memerr;
-  }
-  // Set issuer name
-  if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) {
-    goto memerr;
-  }
-
-  if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) {
-    goto memerr;
-  }
-  if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) {
-    goto memerr;
-  }
-
-  // Set base CRL number: must be critical
-
-  if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) {
-    goto memerr;
-  }
-
-  // Copy extensions across from newest CRL to delta: this will set CRL
-  // number to correct value too.
-
-  for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
-    const X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
-    if (!X509_CRL_add_ext(crl, ext, -1)) {
-      goto memerr;
-    }
-  }
-
-  // Go through revoked entries, copying as needed
-
-  revs = X509_CRL_get_REVOKED(newer);
-
-  for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
-    X509_REVOKED *rvn, *rvtmp;
-    rvn = sk_X509_REVOKED_value(revs, j);
-    // Add only if not also in base. TODO: need something cleverer here
-    // for some more complex CRLs covering multiple CAs.
-    if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
-      rvtmp = X509_REVOKED_dup(rvn);
-      if (!rvtmp) {
-        goto memerr;
-      }
-      if (!X509_CRL_add0_revoked(crl, rvtmp)) {
-        X509_REVOKED_free(rvtmp);
-        goto memerr;
-      }
-    }
-  }
-  // TODO: optionally prune deleted entries
-
-  if (skey && md && !X509_CRL_sign(crl, skey, md)) {
-    goto memerr;
-  }
-
-  return crl;
-
-memerr:
-  if (crl) {
-    X509_CRL_free(crl);
-  }
-  return NULL;
-}
-
 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
                                     CRYPTO_EX_unused *unused,
                                     CRYPTO_EX_dup *dup_unused,

include/openssl/x509.h

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 4b75f41..6c34f41 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -2560,10 +2560,6 @@
                                       ASN1_BIT_STRING *signature, void *asn,
                                       EVP_MD_CTX *ctx);
 
-OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
-                                       EVP_PKEY *skey, const EVP_MD *md,
-                                       unsigned int flags);
-
 OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
 
 OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey);