Remove delta and extended CRL support
Update-Note: The X509_V_FLAG_EXTENDED_CRL_SUPPORT and
X509_V_FLAG_USE_DELTAS flags now cause verification to fail. They
weren't enabled by any caller.
This broadly is meant to disable:
- Delta CRLs
- Indirect CRLs (When the CRL's issuer is somehow different from the
certificate. The security properties for this is very interesting,
since it refers to just any other random name under the same trust
anchor. Very clearly a remnant of when X.509 was meant to authenticate
a global directory. See the rather worrisome comment over
check_crl_chain.)
- Merging together multiple CRLs that are partitioned by reasons
There's some other code we can now unwind, which will be handled in
follow-up changes. This CL is meant to be a minimal change to disable
them. Though even this minimal change requires we delete a bunch of
functions.
Bug: 601
Change-Id: I319ab793f480c6b99de86da6077b616f18edf06b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63929
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 6c34f41..ebbf1ff 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -2806,9 +2806,9 @@
#define X509_V_FLAG_INHIBIT_MAP 0x400
// Notify callback that policy is OK
#define X509_V_FLAG_NOTIFY_POLICY 0x800
-// Extended CRL features such as indirect CRLs, alternate CRL signing keys
+// Causes all verifications to fail. Extended CRL features have been removed.
#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
-// Delta CRL support
+// Causes all verifications to fail. Delta CRL support has been removed.
#define X509_V_FLAG_USE_DELTAS 0x2000
// Check selfsigned CA signature
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
