Unexport most of X509_TRUST and X509_PURPOSE and simplify
X509_PURPOSE can't be fully trimmed because rust-openssl uses a few APIs
to look up purposes by string.
Change-Id: I39e3cec4d8b01ecf7dec1f368fabea4a82eff8e9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65788
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index 422e51c..d35c7f5 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -588,6 +588,13 @@
// |X509_NAME| issue is resolved.
int X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid);
+int X509_TRUST_set(int *t, int trust);
+int X509_TRUST_get_by_id(int id);
+
+int X509_PURPOSE_set(int *p, int purpose);
+int X509_PURPOSE_get_by_id(int id);
+int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
+
#if defined(__cplusplus)
} // extern C
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index 8e0548d..fe6cb0f 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -68,6 +68,14 @@
#include "../internal.h"
#include "internal.h"
+
+struct x509_purpose_st {
+ int purpose;
+ int trust; // Default trust ID
+ int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int);
+ const char *sname;
+} /* X509_PURPOSE */;
+
#define V1_ROOT (EXFLAG_V1 | EXFLAG_SS)
#define ku_reject(x, usage) \
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
@@ -97,29 +105,24 @@
#define X509_TRUST_NONE (-1)
static const X509_PURPOSE xstandard[] = {
- {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0,
- check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL},
- {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0,
- check_purpose_ssl_server, (char *)"SSL server", (char *)"sslserver", NULL},
- {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0,
- check_purpose_ns_ssl_server, (char *)"Netscape SSL server",
- (char *)"nssslserver", NULL},
- {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign,
- (char *)"S/MIME signing", (char *)"smimesign", NULL},
- {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0,
- check_purpose_smime_encrypt, (char *)"S/MIME encryption",
- (char *)"smimeencrypt", NULL},
- {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign,
- (char *)"CRL signing", (char *)"crlsign", NULL},
- {X509_PURPOSE_ANY, X509_TRUST_NONE, 0, no_check, (char *)"Any Purpose",
- (char *)"any", NULL},
+ {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, check_purpose_ssl_client,
+ "sslclient"},
+ {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, check_purpose_ssl_server,
+ "sslserver"},
+ {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER,
+ check_purpose_ns_ssl_server, "nssslserver"},
+ {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, check_purpose_smime_sign,
+ "smimesign"},
+ {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, check_purpose_smime_encrypt,
+ "smimeencrypt"},
+ {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, check_purpose_crl_sign,
+ "crlsign"},
+ {X509_PURPOSE_ANY, X509_TRUST_NONE, no_check, "any"},
// |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP
// implementation relied on the caller performing EKU and KU checks.
- {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, no_check,
- (char *)"OCSP helper", (char *)"ocsphelper", NULL},
- {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0,
- check_purpose_timestamp_sign, (char *)"Time Stamp signing",
- (char *)"timestampsign", NULL},
+ {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, no_check, "ocsphelper"},
+ {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, check_purpose_timestamp_sign,
+ "timestampsign"},
};
int X509_check_purpose(X509 *x, int id, int ca) {
@@ -156,8 +159,6 @@
return 1;
}
-int X509_PURPOSE_get_count(void) { return OPENSSL_ARRAY_SIZE(xstandard); }
-
const X509_PURPOSE *X509_PURPOSE_get0(int idx) {
if (idx < 0 || (size_t)idx >= OPENSSL_ARRAY_SIZE(xstandard)) {
return NULL;
@@ -166,9 +167,8 @@
}
int X509_PURPOSE_get_by_sname(const char *sname) {
- const X509_PURPOSE *xptmp;
- for (int i = 0; i < X509_PURPOSE_get_count(); i++) {
- xptmp = X509_PURPOSE_get0(i);
+ for (int i = 0; i < (int)OPENSSL_ARRAY_SIZE(xstandard); i++) {
+ const X509_PURPOSE *xptmp = X509_PURPOSE_get0(i);
if (!strcmp(xptmp->sname, sname)) {
return i;
}
@@ -189,10 +189,6 @@
int X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; }
-char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp) { return xp->name; }
-
-char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp) { return xp->sname; }
-
int X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; }
int X509_supported_extension(const X509_EXTENSION *ex) {
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index a3616dc..50fb34c 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -7721,6 +7721,15 @@
{intermediate.normal.get()}, {}, /*flags=*/0, set_server_trust));
}
+// Test some APIs that rust-openssl uses to look up purposes by name.
+TEST(X509Test, PurposeByShortName) {
+ int idx = X509_PURPOSE_get_by_sname("sslserver");
+ ASSERT_NE(idx, -1);
+ const X509_PURPOSE *purpose = X509_PURPOSE_get0(idx);
+ ASSERT_TRUE(purpose);
+ EXPECT_EQ(X509_PURPOSE_get_id(purpose), X509_PURPOSE_SSL_SERVER);
+}
+
TEST(X509Test, CriticalExtension) {
bssl::UniquePtr<EVP_PKEY> key = PrivateKeyFromPEM(kP256Key);
ASSERT_TRUE(key);
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 907e492..a626c88 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -66,23 +66,28 @@
#include "internal.h"
+typedef struct x509_trust_st X509_TRUST;
+
+struct x509_trust_st {
+ int trust;
+ int (*check_trust)(const X509_TRUST *, X509 *, int);
+ int nid;
+} /* X509_TRUST */;
+
+static const X509_TRUST *X509_TRUST_get0(int idx);
+
static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags);
static int trust_compat(const X509_TRUST *trust, X509 *x, int flags);
static int obj_trust(int id, X509 *x, int flags);
static const X509_TRUST trstandard[] = {
- {X509_TRUST_COMPAT, 0, trust_compat, (char *)"compatible", 0, NULL},
- {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, (char *)"SSL Client",
- NID_client_auth, NULL},
- {X509_TRUST_SSL_SERVER, 0, trust_1oidany, (char *)"SSL Server",
- NID_server_auth, NULL},
- {X509_TRUST_EMAIL, 0, trust_1oidany, (char *)"S/MIME email",
- NID_email_protect, NULL},
- {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, (char *)"Object Signer",
- NID_code_sign, NULL},
- {X509_TRUST_TSA, 0, trust_1oidany, (char *)"TSA server", NID_time_stamp,
- NULL}};
+ {X509_TRUST_COMPAT, trust_compat, 0},
+ {X509_TRUST_SSL_CLIENT, trust_1oidany, NID_client_auth},
+ {X509_TRUST_SSL_SERVER, trust_1oidany, NID_server_auth},
+ {X509_TRUST_EMAIL, trust_1oidany, NID_email_protect},
+ {X509_TRUST_OBJECT_SIGN, trust_1oidany, NID_code_sign},
+ {X509_TRUST_TSA, trust_1oidany, NID_time_stamp}};
int X509_check_trust(X509 *x, int id, int flags) {
if (id == -1) {
@@ -104,9 +109,7 @@
return pt->check_trust(pt, x, flags);
}
-int X509_TRUST_get_count(void) { return OPENSSL_ARRAY_SIZE(trstandard); }
-
-const X509_TRUST *X509_TRUST_get0(int idx) {
+static const X509_TRUST *X509_TRUST_get0(int idx) {
if (idx < 0 || (size_t)idx >= OPENSSL_ARRAY_SIZE(trstandard)) {
return NULL;
}
@@ -133,15 +136,9 @@
return 1;
}
-int X509_TRUST_get_flags(const X509_TRUST *xp) { return xp->flags; }
-
-char *X509_TRUST_get0_name(const X509_TRUST *xp) { return xp->name; }
-
-int X509_TRUST_get_trust(const X509_TRUST *xp) { return xp->trust; }
-
static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags) {
if (x->aux && (x->aux->trust || x->aux->reject)) {
- return obj_trust(trust->arg1, x, flags);
+ return obj_trust(trust->nid, x, flags);
}
// we don't have any trust settings: for compatibility we return trusted
// if it is self signed
@@ -160,24 +157,21 @@
}
static int obj_trust(int id, X509 *x, int flags) {
- ASN1_OBJECT *obj;
- size_t i;
- X509_CERT_AUX *ax;
- ax = x->aux;
+ X509_CERT_AUX *ax = x->aux;
if (!ax) {
return X509_TRUST_UNTRUSTED;
}
if (ax->reject) {
- for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
- obj = sk_ASN1_OBJECT_value(ax->reject, i);
+ for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
+ const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i);
if (OBJ_obj2nid(obj) == id) {
return X509_TRUST_REJECTED;
}
}
}
if (ax->trust) {
- for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
- obj = sk_ASN1_OBJECT_value(ax->trust, i);
+ for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
+ const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i);
if (OBJ_obj2nid(obj) == id) {
return X509_TRUST_TRUSTED;
}
diff --git a/include/openssl/base.h b/include/openssl/base.h
index 98de503..9b72e99 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -378,11 +378,11 @@
typedef struct x509_lookup_st X509_LOOKUP;
typedef struct x509_lookup_method_st X509_LOOKUP_METHOD;
typedef struct x509_object_st X509_OBJECT;
+typedef struct x509_purpose_st X509_PURPOSE;
typedef struct x509_revoked_st X509_REVOKED;
typedef struct x509_st X509;
typedef struct x509_store_ctx_st X509_STORE_CTX;
typedef struct x509_store_st X509_STORE;
-typedef struct x509_trust_st X509_TRUST;
typedef void *OPENSSL_BLOCK;
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index b864809..60d1835 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -655,14 +655,14 @@
// X509_add1_trust_object configures |x509| as a valid trust anchor for |obj|.
// It returns one on success and zero on error. |obj| should be a certificate
-// usage OID associated with an |X509_TRUST| object.
+// usage OID associated with an |X509_TRUST_*| constant.
//
// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated.
OPENSSL_EXPORT int X509_add1_trust_object(X509 *x509, const ASN1_OBJECT *obj);
// X509_add1_reject_object configures |x509| as distrusted for |obj|. It returns
// one on success and zero on error. |obj| should be a certificate usage OID
-// associated with an |X509_TRUST| object.
+// associated with an |X509_TRUST_*| constant.
//
// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated.
OPENSSL_EXPORT int X509_add1_reject_object(X509 *x509, const ASN1_OBJECT *obj);
@@ -4331,19 +4331,6 @@
DECLARE_STACK_OF(DIST_POINT)
-// This is used for a table of trust checking functions
-
-struct x509_trust_st {
- int trust;
- int flags;
- int (*check_trust)(const X509_TRUST *, X509 *, int);
- char *name;
- int arg1;
- void *arg2;
-} /* X509_TRUST */;
-
-DEFINE_STACK_OF(X509_TRUST)
-
OPENSSL_EXPORT const char *X509_get_default_cert_area(void);
OPENSSL_EXPORT const char *X509_get_default_cert_dir(void);
OPENSSL_EXPORT const char *X509_get_default_cert_file(void);
@@ -4352,8 +4339,6 @@
OPENSSL_EXPORT const char *X509_get_default_private_dir(void);
-OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust);
-
OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b);
// X509_NAME_hash returns a hash of |name|, or zero on error. This is the new
@@ -4384,13 +4369,6 @@
OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
-OPENSSL_EXPORT int X509_TRUST_get_count(void);
-OPENSSL_EXPORT const X509_TRUST *X509_TRUST_get0(int idx);
-OPENSSL_EXPORT int X509_TRUST_get_by_id(int id);
-OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp);
-OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp);
-OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp);
-
/*
SSL_CTX -> X509_STORE
@@ -4682,18 +4660,6 @@
#define NS_OBJSIGN_CA 0x01
#define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA)
-typedef struct x509_purpose_st {
- int purpose;
- int trust; // Default trust ID
- int flags;
- int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int);
- char *name;
- char *sname;
- void *usr_data;
-} X509_PURPOSE;
-
-DEFINE_STACK_OF(X509_PURPOSE)
-
DECLARE_ASN1_FUNCTIONS_const(BASIC_CONSTRAINTS)
// TODO(https://crbug.com/boringssl/407): This is not const because it contains
@@ -4893,16 +4859,9 @@
OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid,
void *value, int crit, unsigned long flags);
-OPENSSL_EXPORT int X509_PURPOSE_set(int *p, int purpose);
-
-OPENSSL_EXPORT int X509_PURPOSE_get_count(void);
-OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int idx);
OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname);
-OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id);
-OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
-OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
-OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
-OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *);
+OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int idx);
+OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *purpose);
#if defined(__cplusplus)
