Remove PKCS8_pkey_get0 and PKCS8_pkey_set0. I can't find any users of these APIs. If we remove them, the only publicly exposed operation on PKCS8_PRIV_KEY_INFO becomes EVP_PKCS82PKEY. We can then parse it without a dependency on the legacy ASN.1 stack. While I'm here, remove the callback on the structure. OPENSSL_free automatically calls OPENSSL_cleanse in BoringSSL, so the call is redundant. Update-Note: Removed some unused accessors. Change-Id: I400748463abe3c28dfa42ae9de9be59cb76cd2b2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53332 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c index 5a1d591..f5dd5b4 100644 --- a/crypto/pkcs8/pkcs8_x509.c +++ b/crypto/pkcs8/pkcs8_x509.c
@@ -90,61 +90,15 @@ return 0 < iterations && iterations <= kIterationsLimit; } -// Minor tweak to operation: zero private key data -static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) { - // Since the structure must still be valid use ASN1_OP_FREE_PRE - if (operation == ASN1_OP_FREE_PRE) { - PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval; - if (key->pkey) { - OPENSSL_cleanse(key->pkey->data, key->pkey->length); - } - } - return 1; -} - -ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = { +ASN1_SEQUENCE(PKCS8_PRIV_KEY_INFO) = { ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER), ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR), ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_OCTET_STRING), ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0), -} ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO) +} ASN1_SEQUENCE_END(PKCS8_PRIV_KEY_INFO) IMPLEMENT_ASN1_FUNCTIONS_const(PKCS8_PRIV_KEY_INFO) -int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, int version, - int ptype, void *pval, uint8_t *penc, int penclen) { - if (version >= 0 && - !ASN1_INTEGER_set(priv->version, version)) { - return 0; - } - - if (!X509_ALGOR_set0(priv->pkeyalg, aobj, ptype, pval)) { - return 0; - } - - if (penc != NULL) { - ASN1_STRING_set0(priv->pkey, penc, penclen); - } - - return 1; -} - -int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg, const uint8_t **pk, int *ppklen, - X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8) { - if (ppkalg) { - *ppkalg = p8->pkeyalg->algorithm; - } - if (pk) { - *pk = ASN1_STRING_data(p8->pkey); - *ppklen = ASN1_STRING_length(p8->pkey); - } - if (pa) { - *pa = p8->pkeyalg; - } - return 1; -} - EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) { uint8_t *der = NULL; int der_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &der);
diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 6c3d978..b89be08 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h
@@ -2243,13 +2243,6 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8); OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey); -OPENSSL_EXPORT int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, - int version, int ptype, void *pval, - unsigned char *penc, int penclen); -OPENSSL_EXPORT int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg, - const unsigned char **pk, int *ppklen, - X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8); - // X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier // determined by |obj|, |param_type|, and |param_value|, and an encoded // public key of |key|. On success, it takes ownership of all its parameters and