Remove PKCS8_pkey_get0 and PKCS8_pkey_set0.
I can't find any users of these APIs. If we remove them, the only
publicly exposed operation on PKCS8_PRIV_KEY_INFO becomes
EVP_PKCS82PKEY. We can then parse it without a dependency on the legacy
ASN.1 stack.
While I'm here, remove the callback on the structure. OPENSSL_free
automatically calls OPENSSL_cleanse in BoringSSL, so the call is
redundant.
Update-Note: Removed some unused accessors.
Change-Id: I400748463abe3c28dfa42ae9de9be59cb76cd2b2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53332
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c
index 5a1d591..f5dd5b4 100644
--- a/crypto/pkcs8/pkcs8_x509.c
+++ b/crypto/pkcs8/pkcs8_x509.c
@@ -90,61 +90,15 @@
return 0 < iterations && iterations <= kIterationsLimit;
}
-// Minor tweak to operation: zero private key data
-static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
- void *exarg) {
- // Since the structure must still be valid use ASN1_OP_FREE_PRE
- if (operation == ASN1_OP_FREE_PRE) {
- PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
- if (key->pkey) {
- OPENSSL_cleanse(key->pkey->data, key->pkey->length);
- }
- }
- return 1;
-}
-
-ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = {
+ASN1_SEQUENCE(PKCS8_PRIV_KEY_INFO) = {
ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),
ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),
ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_OCTET_STRING),
ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0),
-} ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
+} ASN1_SEQUENCE_END(PKCS8_PRIV_KEY_INFO)
IMPLEMENT_ASN1_FUNCTIONS_const(PKCS8_PRIV_KEY_INFO)
-int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, int version,
- int ptype, void *pval, uint8_t *penc, int penclen) {
- if (version >= 0 &&
- !ASN1_INTEGER_set(priv->version, version)) {
- return 0;
- }
-
- if (!X509_ALGOR_set0(priv->pkeyalg, aobj, ptype, pval)) {
- return 0;
- }
-
- if (penc != NULL) {
- ASN1_STRING_set0(priv->pkey, penc, penclen);
- }
-
- return 1;
-}
-
-int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg, const uint8_t **pk, int *ppklen,
- X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8) {
- if (ppkalg) {
- *ppkalg = p8->pkeyalg->algorithm;
- }
- if (pk) {
- *pk = ASN1_STRING_data(p8->pkey);
- *ppklen = ASN1_STRING_length(p8->pkey);
- }
- if (pa) {
- *pa = p8->pkeyalg;
- }
- return 1;
-}
-
EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {
uint8_t *der = NULL;
int der_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &der);
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 6c3d978..b89be08 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -2243,13 +2243,6 @@
OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
-OPENSSL_EXPORT int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
- int version, int ptype, void *pval,
- unsigned char *penc, int penclen);
-OPENSSL_EXPORT int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg,
- const unsigned char **pk, int *ppklen,
- X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8);
-
// X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier
// determined by |obj|, |param_type|, and |param_value|, and an encoded
// public key of |key|. On success, it takes ownership of all its parameters and
