Make X509_CRL opaque.
Update-Note: Use accessors instead.
Change-Id: I7b41eb7c724d94d3e6d26498063e045a1850c671
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48465
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 7b91cbd..a630cdf 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -68,6 +68,7 @@
#if !defined(OPENSSL_TRUSTY)
#include "../internal.h"
+#include "internal.h"
typedef struct lookup_dir_hashes_st {
unsigned long hash;
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index 59e980a..8c37985 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -112,6 +112,42 @@
CRYPTO_refcount_t references;
} /* X509_REQ */;
+typedef struct {
+ ASN1_INTEGER *version;
+ X509_ALGOR *sig_alg;
+ X509_NAME *issuer;
+ ASN1_TIME *lastUpdate;
+ ASN1_TIME *nextUpdate;
+ STACK_OF(X509_REVOKED) *revoked;
+ STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
+ ASN1_ENCODING enc;
+} X509_CRL_INFO;
+
+DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
+
+struct X509_crl_st {
+ // actual signature
+ X509_CRL_INFO *crl;
+ X509_ALGOR *sig_alg;
+ ASN1_BIT_STRING *signature;
+ CRYPTO_refcount_t references;
+ int flags;
+ // Copies of various extensions
+ AUTHORITY_KEYID *akid;
+ ISSUING_DIST_POINT *idp;
+ // Convenient breakdown of IDP
+ int idp_flags;
+ int idp_reasons;
+ // CRL and base CRL numbers for delta processing
+ ASN1_INTEGER *crl_number;
+ ASN1_INTEGER *base_crl_number;
+ unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+ STACK_OF(GENERAL_NAMES) *issuers;
+ const X509_CRL_METHOD *meth;
+ void *meth_data;
+} /* X509_CRL */;
+
+
struct X509_VERIFY_PARAM_st {
char *name;
time_t check_time; // Time to use
diff --git a/crypto/x509/t_crl.c b/crypto/x509/t_crl.c
index 14f98c5..42f05cd 100644
--- a/crypto/x509/t_crl.c
+++ b/crypto/x509/t_crl.c
@@ -86,7 +86,13 @@
BIO_printf(out, "Certificate Revocation List (CRL):\n");
l = X509_CRL_get_version(x);
BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l + 1, l);
- X509_signature_print(out, x->sig_alg, NULL);
+ const X509_ALGOR *sig_alg;
+ const ASN1_BIT_STRING *signature;
+ X509_CRL_get0_signature(x, &signature, &sig_alg);
+ // Note this and the other |X509_signature_print| call print the outer
+ // signature algorithm twice, rather than both the inner and outer ones.
+ // This matches OpenSSL, though it was probably a bug.
+ X509_signature_print(out, sig_alg, NULL);
p = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0);
BIO_printf(out, "%8sIssuer: %s\n", "", p);
OPENSSL_free(p);
@@ -99,7 +105,8 @@
BIO_printf(out, "NONE");
BIO_printf(out, "\n");
- X509V3_extensions_print(out, "CRL extensions", x->crl->extensions, 0, 8);
+ X509V3_extensions_print(out, "CRL extensions", X509_CRL_get0_extensions(x),
+ 0, 8);
rev = X509_CRL_get_REVOKED(x);
@@ -118,7 +125,7 @@
X509V3_extensions_print(out, "CRL entry extensions",
r->extensions, 0, 8);
}
- X509_signature_print(out, x->sig_alg, x->signature);
+ X509_signature_print(out, sig_alg, signature);
return 1;
diff --git a/crypto/x509/x509_ext.c b/crypto/x509/x509_ext.c
index 362c95b..a08e2a8 100644
--- a/crypto/x509/x509_ext.c
+++ b/crypto/x509/x509_ext.c
@@ -62,6 +62,8 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "internal.h"
+
int X509_CRL_get_ext_count(const X509_CRL *x)
{
return (X509v3_get_ext_count(x->crl->extensions));
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 4046c3e..6d51ffd 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -64,6 +64,7 @@
#include <openssl/x509v3.h>
#include "../internal.h"
+#include "internal.h"
X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
{
diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index ae93499..7816d73 100644
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -60,6 +60,7 @@
#include <openssl/x509.h>
#include "../internal.h"
+#include "internal.h"
int X509_CRL_set_version(X509_CRL *x, long version)
{
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 3f5fc1d..f6fbd0a 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -66,6 +66,7 @@
#include <openssl/x509v3.h>
#include "../internal.h"
+#include "internal.h"
/*
* Method to handle CRL access. In general a CRL could be very large (several
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index 158f8df..3192752 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -69,6 +69,7 @@
#include <openssl/x509v3.h>
#include "../internal.h"
+#include "../x509/internal.h"
#include "internal.h"
static int v3_check_critical(const char **value);
diff --git a/include/openssl/base.h b/include/openssl/base.h
index 88cfb8f..ea4366a 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@@ -365,7 +365,6 @@
typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
typedef struct X509_algor_st X509_ALGOR;
-typedef struct X509_crl_info_st X509_CRL_INFO;
typedef struct X509_crl_st X509_CRL;
typedef struct X509_extension_st X509_EXTENSION;
typedef struct X509_info_st X509_INFO;
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 1e745ca..4960b35 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -316,41 +316,8 @@
DEFINE_STACK_OF(X509_REVOKED)
-struct X509_crl_info_st {
- ASN1_INTEGER *version;
- X509_ALGOR *sig_alg;
- X509_NAME *issuer;
- ASN1_TIME *lastUpdate;
- ASN1_TIME *nextUpdate;
- STACK_OF(X509_REVOKED) *revoked;
- STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
- ASN1_ENCODING enc;
-} /* X509_CRL_INFO */;
-
DECLARE_STACK_OF(GENERAL_NAMES)
-struct X509_crl_st {
- // actual signature
- X509_CRL_INFO *crl;
- X509_ALGOR *sig_alg;
- ASN1_BIT_STRING *signature;
- CRYPTO_refcount_t references;
- int flags;
- // Copies of various extensions
- AUTHORITY_KEYID *akid;
- ISSUING_DIST_POINT *idp;
- // Convenient breakdown of IDP
- int idp_flags;
- int idp_reasons;
- // CRL and base CRL numbers for delta processing
- ASN1_INTEGER *crl_number;
- ASN1_INTEGER *base_crl_number;
- unsigned char sha1_hash[SHA_DIGEST_LENGTH];
- STACK_OF(GENERAL_NAMES) *issuers;
- const X509_CRL_METHOD *meth;
- void *meth_data;
-} /* X509_CRL */;
-
DEFINE_STACK_OF(X509_CRL)
struct private_key_st {
@@ -1040,7 +1007,6 @@
OPENSSL_EXPORT void X509_reject_clear(X509 *x);
DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
-DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
DECLARE_ASN1_FUNCTIONS(X509_CRL)
OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);