Remove unused files from pki
This files aren't built and don't build because of a fillins dependency.
Change-Id: I3466fb50298922cfb21c9f60950d572df0d64ca8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65907
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/pki/asn1_util.cc b/pki/asn1_util.cc
deleted file mode 100644
index 3c9cef7..0000000
--- a/pki/asn1_util.cc
+++ /dev/null
@@ -1,353 +0,0 @@
-// Copyright 2012 The Chromium Authors
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "asn1_util.h"
-
-#include <optional>
-#include "input.h"
-#include "parse_certificate.h"
-#include "parser.h"
-
-namespace bssl::asn1 {
-
-namespace {
-
-// Parses input |in| which should point to the beginning of a Certificate, and
-// sets |*tbs_certificate| ready to parse the Subject. If parsing
-// fails, this function returns false and |*tbs_certificate| is left in an
-// undefined state.
-bool SeekToSubject(der::Input in, der::Parser *tbs_certificate) {
- // From RFC 5280, section 4.1
- // Certificate ::= SEQUENCE {
- // tbsCertificate TBSCertificate,
- // signatureAlgorithm AlgorithmIdentifier,
- // signatureValue BIT STRING }
-
- // TBSCertificate ::= SEQUENCE {
- // version [0] EXPLICIT Version DEFAULT v1,
- // serialNumber CertificateSerialNumber,
- // signature AlgorithmIdentifier,
- // issuer Name,
- // validity Validity,
- // subject Name,
- // subjectPublicKeyInfo SubjectPublicKeyInfo,
- // ... }
-
- der::Parser parser(in);
- der::Parser certificate;
- if (!parser.ReadSequence(&certificate)) {
- return false;
- }
-
- // We don't allow junk after the certificate.
- if (parser.HasMore()) {
- return false;
- }
-
- if (!certificate.ReadSequence(tbs_certificate)) {
- return false;
- }
-
- bool unused;
- if (!tbs_certificate->SkipOptionalTag(
- der::kTagConstructed | der::kTagContextSpecific | 0, &unused)) {
- return false;
- }
-
- // serialNumber
- if (!tbs_certificate->SkipTag(der::kInteger)) {
- return false;
- }
- // signature
- if (!tbs_certificate->SkipTag(der::kSequence)) {
- return false;
- }
- // issuer
- if (!tbs_certificate->SkipTag(der::kSequence)) {
- return false;
- }
- // validity
- if (!tbs_certificate->SkipTag(der::kSequence)) {
- return false;
- }
- return true;
-}
-
-// Parses input |in| which should point to the beginning of a Certificate, and
-// sets |*tbs_certificate| ready to parse the SubjectPublicKeyInfo. If parsing
-// fails, this function returns false and |*tbs_certificate| is left in an
-// undefined state.
-bool SeekToSPKI(der::Input in, der::Parser *tbs_certificate) {
- return SeekToSubject(in, tbs_certificate) &&
- // Skip over Subject.
- tbs_certificate->SkipTag(der::kSequence);
-}
-
-// Parses input |in| which should point to the beginning of a
-// Certificate. If parsing fails, this function returns false, with
-// |*extensions_present| and |*extensions_parser| left in an undefined
-// state. If parsing succeeds and extensions are present, this function
-// sets |*extensions_present| to true and sets |*extensions_parser|
-// ready to parse the Extensions. If extensions are not present, it sets
-// |*extensions_present| to false and |*extensions_parser| is left in an
-// undefined state.
-bool SeekToExtensions(der::Input in, bool *extensions_present,
- der::Parser *extensions_parser) {
- bool present;
- der::Parser tbs_cert_parser;
- if (!SeekToSPKI(in, &tbs_cert_parser)) {
- return false;
- }
-
- // From RFC 5280, section 4.1
- // TBSCertificate ::= SEQUENCE {
- // ...
- // subjectPublicKeyInfo SubjectPublicKeyInfo,
- // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
- // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
- // extensions [3] EXPLICIT Extensions OPTIONAL }
-
- // subjectPublicKeyInfo
- if (!tbs_cert_parser.SkipTag(der::kSequence)) {
- return false;
- }
- // issuerUniqueID
- if (!tbs_cert_parser.SkipOptionalTag(der::kTagContextSpecific | 1,
- &present)) {
- return false;
- }
- // subjectUniqueID
- if (!tbs_cert_parser.SkipOptionalTag(der::kTagContextSpecific | 2,
- &present)) {
- return false;
- }
-
- std::optional<der::Input> extensions;
- if (!tbs_cert_parser.ReadOptionalTag(
- der::kTagConstructed | der::kTagContextSpecific | 3, &extensions)) {
- return false;
- }
-
- if (!extensions) {
- *extensions_present = false;
- return true;
- }
-
- // Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
- // Extension ::= SEQUENCE {
- // extnID OBJECT IDENTIFIER,
- // critical BOOLEAN DEFAULT FALSE,
- // extnValue OCTET STRING }
-
- // |extensions| was EXPLICITly tagged, so we still need to remove the
- // ASN.1 SEQUENCE header.
- der::Parser explicit_extensions_parser(extensions.value());
- if (!explicit_extensions_parser.ReadSequence(extensions_parser)) {
- return false;
- }
-
- if (explicit_extensions_parser.HasMore()) {
- return false;
- }
-
- *extensions_present = true;
- return true;
-}
-
-// Parse a DER-encoded, X.509 certificate in |cert| and find an extension with
-// the given OID. Returns false on parse error or true if the parse was
-// successful. |*out_extension_present| will be true iff the extension was
-// found. In the case where it was found, |*out_extension| will describe the
-// extension, or is undefined on parse error or if the extension is missing.
-bool ExtractExtensionWithOID(std::string_view cert, der::Input extension_oid,
- bool *out_extension_present,
- ParsedExtension *out_extension) {
- der::Parser extensions;
- bool extensions_present;
- if (!SeekToExtensions(der::Input(cert), &extensions_present, &extensions)) {
- return false;
- }
- if (!extensions_present) {
- *out_extension_present = false;
- return true;
- }
-
- while (extensions.HasMore()) {
- der::Input extension_tlv;
- if (!extensions.ReadRawTLV(&extension_tlv) ||
- !ParseExtension(extension_tlv, out_extension)) {
- return false;
- }
-
- if (out_extension->oid == extension_oid) {
- *out_extension_present = true;
- return true;
- }
- }
-
- *out_extension_present = false;
- return true;
-}
-
-} // namespace
-
-bool ExtractSubjectFromDERCert(std::string_view cert,
- std::string_view *subject_out) {
- der::Parser parser;
- if (!SeekToSubject(der::Input(cert), &parser)) {
- return false;
- }
- der::Input subject;
- if (!parser.ReadRawTLV(&subject)) {
- return false;
- }
- *subject_out = subject.AsStringView();
- return true;
-}
-
-bool ExtractSPKIFromDERCert(std::string_view cert, std::string_view *spki_out) {
- der::Parser parser;
- if (!SeekToSPKI(der::Input(cert), &parser)) {
- return false;
- }
- der::Input spki;
- if (!parser.ReadRawTLV(&spki)) {
- return false;
- }
- *spki_out = spki.AsStringView();
- return true;
-}
-
-bool ExtractSubjectPublicKeyFromSPKI(std::string_view spki,
- std::string_view *spk_out) {
- // From RFC 5280, Section 4.1
- // SubjectPublicKeyInfo ::= SEQUENCE {
- // algorithm AlgorithmIdentifier,
- // subjectPublicKey BIT STRING }
- //
- // AlgorithmIdentifier ::= SEQUENCE {
- // algorithm OBJECT IDENTIFIER,
- // parameters ANY DEFINED BY algorithm OPTIONAL }
-
- // Step into SubjectPublicKeyInfo sequence.
- der::Parser parser((der::Input(spki)));
- der::Parser spki_parser;
- if (!parser.ReadSequence(&spki_parser)) {
- return false;
- }
-
- // Step over algorithm field (a SEQUENCE).
- if (!spki_parser.SkipTag(der::kSequence)) {
- return false;
- }
-
- // Extract the subjectPublicKey field.
- der::Input spk;
- if (!spki_parser.ReadTag(der::kBitString, &spk)) {
- return false;
- }
- *spk_out = spk.AsStringView();
- return true;
-}
-
-bool HasCanSignHttpExchangesDraftExtension(std::string_view cert) {
- // kCanSignHttpExchangesDraftOid is the DER encoding of the OID for
- // canSignHttpExchangesDraft defined in:
- // https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html
- static const uint8_t kCanSignHttpExchangesDraftOid[] = {
- 0x2B, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x16};
-
- bool extension_present;
- ParsedExtension extension;
- if (!ExtractExtensionWithOID(cert, der::Input(kCanSignHttpExchangesDraftOid),
- &extension_present, &extension) ||
- !extension_present) {
- return false;
- }
-
- // The extension should have contents NULL.
- static const uint8_t kNull[] = {0x05, 0x00};
- return extension.value == der::Input(kNull);
-}
-
-bool ExtractSignatureAlgorithmsFromDERCert(
- std::string_view cert, std::string_view *cert_signature_algorithm_sequence,
- std::string_view *tbs_signature_algorithm_sequence) {
- // From RFC 5280, section 4.1
- // Certificate ::= SEQUENCE {
- // tbsCertificate TBSCertificate,
- // signatureAlgorithm AlgorithmIdentifier,
- // signatureValue BIT STRING }
-
- // TBSCertificate ::= SEQUENCE {
- // version [0] EXPLICIT Version DEFAULT v1,
- // serialNumber CertificateSerialNumber,
- // signature AlgorithmIdentifier,
- // issuer Name,
- // validity Validity,
- // subject Name,
- // subjectPublicKeyInfo SubjectPublicKeyInfo,
- // ... }
-
- der::Parser parser((der::Input(cert)));
- der::Parser certificate;
- if (!parser.ReadSequence(&certificate)) {
- return false;
- }
-
- der::Parser tbs_certificate;
- if (!certificate.ReadSequence(&tbs_certificate)) {
- return false;
- }
-
- bool unused;
- if (!tbs_certificate.SkipOptionalTag(
- der::kTagConstructed | der::kTagContextSpecific | 0, &unused)) {
- return false;
- }
-
- // serialNumber
- if (!tbs_certificate.SkipTag(der::kInteger)) {
- return false;
- }
- // signature
- der::Input tbs_algorithm;
- if (!tbs_certificate.ReadRawTLV(&tbs_algorithm)) {
- return false;
- }
-
- der::Input cert_algorithm;
- if (!certificate.ReadRawTLV(&cert_algorithm)) {
- return false;
- }
-
- *cert_signature_algorithm_sequence = cert_algorithm.AsStringView();
- *tbs_signature_algorithm_sequence = tbs_algorithm.AsStringView();
- return true;
-}
-
-bool ExtractExtensionFromDERCert(std::string_view cert,
- std::string_view extension_oid,
- bool *out_extension_present,
- bool *out_extension_critical,
- std::string_view *out_contents) {
- *out_extension_present = false;
- *out_extension_critical = false;
- *out_contents = std::string_view();
-
- ParsedExtension extension;
- if (!ExtractExtensionWithOID(cert, der::Input(extension_oid),
- out_extension_present, &extension)) {
- return false;
- }
- if (!*out_extension_present) {
- return true;
- }
-
- *out_extension_critical = extension.critical;
- *out_contents = extension.value.AsStringView();
- return true;
-}
-
-} // namespace bssl::asn1
diff --git a/pki/asn1_util.h b/pki/asn1_util.h
deleted file mode 100644
index 365c6ed..0000000
--- a/pki/asn1_util.h
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2012 The Chromium Authors
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BSSL_PKI_ASN1_UTIL_H_
-#define BSSL_PKI_ASN1_UTIL_H_
-
-#include <string_view>
-#include "fillins/openssl_util.h"
-
-
-
-namespace bssl::asn1 {
-
-// ExtractSubjectFromDERCert parses the DER encoded certificate in |cert| and
-// extracts the bytes of the X.501 Subject. On successful return, |subject_out|
-// is set to contain the Subject, pointing into |cert|.
-OPENSSL_EXPORT bool ExtractSubjectFromDERCert(std::string_view cert,
- std::string_view *subject_out);
-
-// ExtractSPKIFromDERCert parses the DER encoded certificate in |cert| and
-// extracts the bytes of the SubjectPublicKeyInfo. On successful return,
-// |spki_out| is set to contain the SPKI, pointing into |cert|.
-OPENSSL_EXPORT bool ExtractSPKIFromDERCert(std::string_view cert,
- std::string_view *spki_out);
-
-// ExtractSubjectPublicKeyFromSPKI parses the DER encoded SubjectPublicKeyInfo
-// in |spki| and extracts the bytes of the SubjectPublicKey. On successful
-// return, |spk_out| is set to contain the public key, pointing into |spki|.
-OPENSSL_EXPORT bool ExtractSubjectPublicKeyFromSPKI(std::string_view spki,
- std::string_view *spk_out);
-
-// HasCanSignHttpExchangesDraftExtension parses the DER encoded certificate
-// in |cert| and extracts the canSignHttpExchangesDraft extension
-// (https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html)
-// if present. Returns true if the extension was present, and false if
-// the extension was not present or if there was a parsing failure.
-OPENSSL_EXPORT bool HasCanSignHttpExchangesDraftExtension(
- std::string_view cert);
-
-// Extracts the two (SEQUENCE) tag-length-values for the signature
-// AlgorithmIdentifiers in a DER encoded certificate. Does not use strict
-// parsing or validate the resulting AlgorithmIdentifiers.
-//
-// On success returns true, and assigns |cert_signature_algorithm_sequence| and
-// |tbs_signature_algorithm_sequence| to point into |cert|:
-//
-// * |cert_signature_algorithm_sequence| points at the TLV for
-// Certificate.signatureAlgorithm.
-//
-// * |tbs_signature_algorithm_sequence| points at the TLV for
-// TBSCertificate.algorithm.
-OPENSSL_EXPORT bool ExtractSignatureAlgorithmsFromDERCert(
- std::string_view cert, std::string_view *cert_signature_algorithm_sequence,
- std::string_view *tbs_signature_algorithm_sequence);
-
-// Extracts the contents of the extension (if any) with OID |extension_oid| from
-// the DER-encoded, X.509 certificate in |cert|.
-//
-// Returns false on parse error or true if the parse was successful. Sets
-// |*out_extension_present| to whether or not the extension was found. If found,
-// sets |*out_extension_critical| to match the extension's "critical" flag, and
-// sets |*out_contents| to the contents of the extension (after unwrapping the
-// OCTET STRING).
-OPENSSL_EXPORT bool ExtractExtensionFromDERCert(std::string_view cert,
- std::string_view extension_oid,
- bool *out_extension_present,
- bool *out_extension_critical,
- std::string_view *out_contents);
-
-} // namespace bssl::asn1
-
-#endif // BSSL_PKI_ASN1_UTIL_H_
diff --git a/pki/cert_status_flags.h b/pki/cert_status_flags.h
deleted file mode 100644
index cd66547..0000000
--- a/pki/cert_status_flags.h
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright 2012 The Chromium Authors
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BSSL_PKI_CERT_STATUS_FLAGS_H_
-#define BSSL_PKI_CERT_STATUS_FLAGS_H_
-
-#include <stdint.h>
-#include "fillins/openssl_util.h"
-
-
-
-namespace bssl {
-
-// Bitmask of status flags of a certificate, representing any errors, as well as
-// other non-error status information such as whether the certificate is EV.
-typedef uint32_t CertStatus;
-
-// NOTE: Because these names have appeared in bug reports, we preserve them as
-// MACRO_STYLE for continuity, instead of renaming them to kConstantStyle as
-// befits most static consts.
-#define CERT_STATUS_FLAG(label, value) \
- CertStatus static const CERT_STATUS_##label = value;
-#include "cert_status_flags_list.h"
-#undef CERT_STATUS_FLAG
-
-static const CertStatus CERT_STATUS_ALL_ERRORS = 0xFF00FFFF;
-
-// Returns true if the specified cert status has an error set.
-inline bool IsCertStatusError(CertStatus status) {
- return (CERT_STATUS_ALL_ERRORS & status) != 0;
-}
-
-// Maps a network error code to the equivalent certificate status flag. If
-// the error code is not a certificate error, it is mapped to 0.
-// Note: It is not safe to go bssl::CertStatus -> bssl::Error ->
-// bssl::CertStatus, as the CertStatus contains more information. Conversely,
-// going from bssl::Error -> bssl::CertStatus -> bssl::Error is not a lossy
-// function, for the same reason. To avoid incorrect use, this is only exported
-// for unittest helpers.
-OPENSSL_EXPORT CertStatus MapNetErrorToCertStatus(int error);
-
-// Maps the most serious certificate error in the certificate status flags
-// to the equivalent network error code.
-OPENSSL_EXPORT int MapCertStatusToNetError(CertStatus cert_status);
-
-} // namespace bssl
-
-#endif // BSSL_PKI_CERT_STATUS_FLAGS_H_
diff --git a/pki/cert_status_flags_list.h b/pki/cert_status_flags_list.h
deleted file mode 100644
index d5ab73c..0000000
--- a/pki/cert_status_flags_list.h
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright 2014 The Chromium Authors
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file intentionally does not have header guards, it's included
-// inside a macro to generate enum values. The following line silences a
-// presubmit warning that would otherwise be triggered by this:
-// no-include-guard-because-multiply-included
-// NOLINT(build/header_guard)
-
-// This is the list of CertStatus flags and their values.
-//
-// Defines the values using a macro CERT_STATUS_FLAG,
-// so it can be expanded differently in some places
-
-// The possible status bits for CertStatus.
-// Bits 0 to 15 are for errors.
-CERT_STATUS_FLAG(COMMON_NAME_INVALID, 1 << 0)
-CERT_STATUS_FLAG(DATE_INVALID, 1 << 1)
-CERT_STATUS_FLAG(AUTHORITY_INVALID, 1 << 2)
-// 1 << 3 is reserved for ERR_CERT_CONTAINS_ERRORS (not useful with WinHTTP).
-CERT_STATUS_FLAG(NO_REVOCATION_MECHANISM, 1 << 4)
-CERT_STATUS_FLAG(UNABLE_TO_CHECK_REVOCATION, 1 << 5)
-CERT_STATUS_FLAG(REVOKED, 1 << 6)
-CERT_STATUS_FLAG(INVALID, 1 << 7)
-CERT_STATUS_FLAG(WEAK_SIGNATURE_ALGORITHM, 1 << 8)
-// 1 << 9 was used for CERT_STATUS_NOT_IN_DNS
-CERT_STATUS_FLAG(NON_UNIQUE_NAME, 1 << 10)
-CERT_STATUS_FLAG(WEAK_KEY, 1 << 11)
-// 1 << 12 was used for CERT_STATUS_WEAK_DH_KEY
-CERT_STATUS_FLAG(PINNED_KEY_MISSING, 1 << 13)
-CERT_STATUS_FLAG(NAME_CONSTRAINT_VIOLATION, 1 << 14)
-CERT_STATUS_FLAG(VALIDITY_TOO_LONG, 1 << 15)
-
-// Bits 16 to 23 are for non-error statuses.
-CERT_STATUS_FLAG(IS_EV, 1 << 16)
-CERT_STATUS_FLAG(REV_CHECKING_ENABLED, 1 << 17)
-// Bit 18 was CERT_STATUS_IS_DNSSEC
-CERT_STATUS_FLAG(SHA1_SIGNATURE_PRESENT, 1 << 19)
-CERT_STATUS_FLAG(CT_COMPLIANCE_FAILED, 1 << 20)
-CERT_STATUS_FLAG(KNOWN_INTERCEPTION_DETECTED, 1 << 21)
-
-// Bits 24 - 31 are for errors.
-CERT_STATUS_FLAG(CERTIFICATE_TRANSPARENCY_REQUIRED, 1 << 24)
-CERT_STATUS_FLAG(SYMANTEC_LEGACY, 1 << 25)
-CERT_STATUS_FLAG(KNOWN_INTERCEPTION_BLOCKED, 1 << 26)
-// Bit 27 was CERT_STATUS_LEGACY_TLS.