Unexport all low-level policy machinery.
OpenSSL has a large exported API surface for exporting the policy tree
out of an X509_STORE_CTX. As far as I can tell, no one uses any of these
APIs. Remove them.
Update-Note: It is no longer possibly to see the policy tree after an
X.509 verification. As far as we can tell, this feature is unused.
Change-Id: Ieab374774805e90106555ce4e4155f8451ceb5b9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53327
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
index 80752d1..0af3ea7 100644
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -400,7 +400,6 @@
x509/x_x509a.c
x509v3/pcy_cache.c
x509v3/pcy_data.c
- x509v3/pcy_lib.c
x509v3/pcy_map.c
x509v3/pcy_node.c
x509v3/pcy_tree.c
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index 77f2d97..7904356 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -72,6 +72,9 @@
// Internal structures.
+typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
+typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
+
typedef struct X509_val_st {
ASN1_TIME *notBefore;
ASN1_TIME *notAfter;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 5a97353..b45797a 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1710,6 +1710,9 @@
if (ctx->parent) {
return 1;
}
+ // TODO(davidben): Historically, outputs of the |X509_policy_check| were saved
+ // on |ctx| and accessible via the public API. This has since been removed, so
+ // remove the fields from |X509_STORE_CTX|.
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
ctx->param->policies, ctx->param->flags);
if (ret == 0) {
@@ -2406,14 +2409,6 @@
ctx->verify_cb = verify_cb;
}
-X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) {
- return ctx->tree;
-}
-
-int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) {
- return ctx->explicit_policy;
-}
-
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {
const X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_lookup(name);
diff --git a/crypto/x509v3/internal.h b/crypto/x509v3/internal.h
index abace33..9c9c425 100644
--- a/crypto/x509v3/internal.h
+++ b/crypto/x509v3/internal.h
@@ -65,6 +65,11 @@
#include <openssl/stack.h>
#include <openssl/x509v3.h>
+// TODO(davidben): Merge x509 and x509v3. This include is needed because some
+// internal typedefs are shared between the two, but the two modules depend on
+// each other circularly.
+#include "../x509/internal.h"
+
#if defined(__cplusplus)
extern "C" {
#endif
@@ -122,9 +127,6 @@
int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value,
STACK_OF(CONF_VALUE) **extlist);
-typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
-
-DEFINE_STACK_OF(X509_POLICY_DATA)
// Internal structures
@@ -133,6 +135,12 @@
// X509_POLICY_NODE contains that. This means that the main policy data can
// be kept static and cached with the certificate.
+typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
+typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
+typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
+
+DEFINE_STACK_OF(X509_POLICY_DATA)
+
struct X509_POLICY_DATA_st {
unsigned int flags;
// Policy OID and qualifiers for this data
@@ -199,6 +207,8 @@
int nchild;
};
+DEFINE_STACK_OF(X509_POLICY_NODE)
+
struct X509_POLICY_LEVEL_st {
// Cert for this level
X509 *cert;
@@ -235,6 +245,14 @@
// Internal functions
+void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
+
+int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
+ STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
+ unsigned int flags);
+
+void X509_policy_tree_free(X509_POLICY_TREE *tree);
+
X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
int crit);
void policy_data_free(X509_POLICY_DATA *data);
diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509v3/pcy_lib.c
deleted file mode 100644
index 9a629a3..0000000
--- a/crypto/x509v3/pcy_lib.c
+++ /dev/null
@@ -1,156 +0,0 @@
-/* pcy_lib.c */
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#include "internal.h"
-
-// accessor functions
-
-// X509_POLICY_TREE stuff
-
-int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) {
- if (!tree) {
- return 0;
- }
- return tree->nlevel;
-}
-
-X509_POLICY_LEVEL *X509_policy_tree_get0_level(const X509_POLICY_TREE *tree,
- int i) {
- if (!tree || (i < 0) || (i >= tree->nlevel)) {
- return NULL;
- }
- return tree->levels + i;
-}
-
-STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
- const X509_POLICY_TREE *tree) {
- if (!tree) {
- return NULL;
- }
- return tree->auth_policies;
-}
-
-STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
- const X509_POLICY_TREE *tree) {
- if (!tree) {
- return NULL;
- }
- if (tree->flags & POLICY_FLAG_ANY_POLICY) {
- return tree->auth_policies;
- } else {
- return tree->user_policies;
- }
-}
-
-// X509_POLICY_LEVEL stuff
-
-int X509_policy_level_node_count(X509_POLICY_LEVEL *level) {
- int n;
- if (!level) {
- return 0;
- }
- if (level->anyPolicy) {
- n = 1;
- } else {
- n = 0;
- }
- if (level->nodes) {
- n += sk_X509_POLICY_NODE_num(level->nodes);
- }
- return n;
-}
-
-X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) {
- if (!level) {
- return NULL;
- }
- if (level->anyPolicy) {
- if (i == 0) {
- return level->anyPolicy;
- }
- i--;
- }
- return sk_X509_POLICY_NODE_value(level->nodes, i);
-}
-
-// X509_POLICY_NODE stuff
-
-const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) {
- if (!node) {
- return NULL;
- }
- return node->data->valid_policy;
-}
-
-STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
- const X509_POLICY_NODE *node) {
- if (!node) {
- return NULL;
- }
- return node->data->qualifier_set;
-}
-
-const X509_POLICY_NODE *X509_policy_node_get0_parent(
- const X509_POLICY_NODE *node) {
- if (!node) {
- return NULL;
- }
- return node->parent;
-}
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 673c615..44ade30 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -811,7 +811,11 @@
}
if (*pexplicit_policy) {
- nodes = X509_policy_tree_get0_user_policies(tree);
+ if (tree->flags & POLICY_FLAG_ANY_POLICY) {
+ nodes = tree->auth_policies;
+ } else {
+ nodes = tree->user_policies;
+ }
if (sk_X509_POLICY_NODE_num(nodes) <= 0) {
return -2;
}
@@ -820,8 +824,6 @@
return 1;
error:
-
X509_policy_tree_free(tree);
-
return 0;
}
diff --git a/include/openssl/base.h b/include/openssl/base.h
index 7e58f00..b74e66f 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -364,10 +364,6 @@
typedef struct Netscape_spkac_st NETSCAPE_SPKAC;
typedef struct Netscape_spki_st NETSCAPE_SPKI;
typedef struct RIPEMD160state_st RIPEMD160_CTX;
-typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
-typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
-typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
-typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
typedef struct X509_algor_st X509_ALGOR;
typedef struct X509_crl_st X509_CRL;
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 34eb840..acb20f4 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -2660,10 +2660,6 @@
OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb(
X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *));
-OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(
- X509_STORE_CTX *ctx);
-OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
-
OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(
X509_STORE_CTX *ctx);
OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx,
@@ -2729,37 +2725,6 @@
const char *name);
OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void);
-OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree,
- int *pexplicit_policy,
- STACK_OF(X509) *certs,
- STACK_OF(ASN1_OBJECT) *policy_oids,
- unsigned int flags);
-
-OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree);
-
-OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
-OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level(
- const X509_POLICY_TREE *tree, int i);
-
-OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
- const X509_POLICY_TREE *tree);
-
-OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
- const X509_POLICY_TREE *tree);
-
-OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
-
-OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node(
- X509_POLICY_LEVEL *level, int i);
-
-OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy(
- const X509_POLICY_NODE *node);
-
-OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
- const X509_POLICY_NODE *node);
-OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent(
- const X509_POLICY_NODE *node);
-
#if defined(__cplusplus)
} // extern C
@@ -2784,7 +2749,6 @@
BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free)
BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free)
BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free)
-BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free)
BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free)
BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free)
BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free)
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 0ae9613..38c72cd 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -906,10 +906,6 @@
STACK_OF(CONF_VALUE) *dn_sk,
unsigned long chtype);
-OPENSSL_EXPORT void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node,
- int indent);
-DEFINE_STACK_OF(X509_POLICY_NODE)
-
// BEGIN ERROR CODES
// The following lines are auto generated by the script mkerr.pl. Any changes
// made after this point may be overwritten when the script is next run.
