tree 8e07780ce40bc8dc7683e9dd6dceabcb212687af
parent 85e2f2c655a13e29988df777ed680ddf0969434d
author David Benjamin <davidben@google.com> 1701526897 -0500
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> 1701897681 +0000

Remove dynamic X509_TRUST and X509_PURPOSE registration

This is not thread-safe. Even if made thread-safe, it involves
registering globals, so it's just not a good API.

Note this means that there is no longer a way to configure custom trust
OIDs or purpose checks. Evidently no one was doing that. Should a use
case arise, I don't think it should be met by this API. The things one
might want to configure here are:

- Which OID to match against X509_add1_trust_object and
  X509_add1_reject_object

- Whether self-signed certificates, if no trust objects are configured,
  also count as trust anchors

- Which EKU OID to look for up the chain

- Which legacy Netscape certificate type to look for (can we remove
  this?)

- Which key usage bits to look for in the leaf

We can simply add APIs for specifying those if we need them.

Interestingly, there's a call to check_ca inside the purpose checks
(which gets skipped if you don't configure a purpose!), but I think it
may be redundant with the X509_check_ca call in the path verifier.

Change-Id: If71ee3d0768b5fc71422852b4fcf7eb23e937dd2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64507
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>