Unexport all low-level policy machinery.

OpenSSL has a large exported API surface for exporting the policy tree
out of an X509_STORE_CTX. As far as I can tell, no one uses any of these
APIs. Remove them.

Update-Note: It is no longer possibly to see the policy tree after an
X.509 verification. As far as we can tell, this feature is unused.

Change-Id: Ieab374774805e90106555ce4e4155f8451ceb5b9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53327
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

crypto/CMakeLists.txt

@@ -400,7 +400,6 @@ add_library(
   x509/x_x509a.c
   x509v3/pcy_cache.c
   x509v3/pcy_data.c
-  x509v3/pcy_lib.c
   x509v3/pcy_map.c
   x509v3/pcy_node.c
   x509v3/pcy_tree.c

crypto/x509/internal.h

@@ -72,6 +72,9 @@ extern "C" {
 
 // Internal structures.
 
+typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
+typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
+
 typedef struct X509_val_st {
   ASN1_TIME *notBefore;
   ASN1_TIME *notAfter;

crypto/x509/x509_vfy.c

@@ -1710,6 +1710,9 @@ static int check_policy(X509_STORE_CTX *ctx) {
   if (ctx->parent) {
     return 1;
   }
+  // TODO(davidben): Historically, outputs of the |X509_policy_check| were saved
+  // on |ctx| and accessible via the public API. This has since been removed, so
+  // remove the fields from |X509_STORE_CTX|.
   ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
                           ctx->param->policies, ctx->param->flags);
   if (ret == 0) {
@@ -2406,14 +2409,6 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
   ctx->verify_cb = verify_cb;
 }
 
-X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) {
-  return ctx->tree;
-}
-
-int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) {
-  return ctx->explicit_policy;
-}
-
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {
   const X509_VERIFY_PARAM *param;
   param = X509_VERIFY_PARAM_lookup(name);

crypto/x509v3/internal.h

@@ -65,6 +65,11 @@
 #include <openssl/stack.h>
 #include <openssl/x509v3.h>
 
+// TODO(davidben): Merge x509 and x509v3. This include is needed because some
+// internal typedefs are shared between the two, but the two modules depend on
+// each other circularly.
+#include "../x509/internal.h"
+
 #if defined(__cplusplus)
 extern "C" {
 #endif
@@ -122,9 +127,6 @@ typedef struct {
 int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value,
                                  STACK_OF(CONF_VALUE) **extlist);
 
-typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
-
-DEFINE_STACK_OF(X509_POLICY_DATA)
 
 // Internal structures
 
@@ -133,6 +135,12 @@ DEFINE_STACK_OF(X509_POLICY_DATA)
 // X509_POLICY_NODE contains that. This means that the main policy data can
 // be kept static and cached with the certificate.
 
+typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
+typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
+typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
+
+DEFINE_STACK_OF(X509_POLICY_DATA)
+
 struct X509_POLICY_DATA_st {
   unsigned int flags;
   // Policy OID and qualifiers for this data
@@ -199,6 +207,8 @@ struct X509_POLICY_NODE_st {
   int nchild;
 };
 
+DEFINE_STACK_OF(X509_POLICY_NODE)
+
 struct X509_POLICY_LEVEL_st {
   // Cert for this level
   X509 *cert;
@@ -235,6 +245,14 @@ struct X509_POLICY_TREE_st {
 
 // Internal functions
 
+void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
+
+int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
+                      STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
+                      unsigned int flags);
+
+void X509_policy_tree_free(X509_POLICY_TREE *tree);
+
 X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
                                   int crit);
 void policy_data_free(X509_POLICY_DATA *data);

crypto/x509v3/pcy_lib.c

@@ -1,156 +0,0 @@
-/* pcy_lib.c */
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#include "internal.h"
-
-// accessor functions
-
-// X509_POLICY_TREE stuff
-
-int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) {
-  if (!tree) {
-    return 0;
-  }
-  return tree->nlevel;
-}
-
-X509_POLICY_LEVEL *X509_policy_tree_get0_level(const X509_POLICY_TREE *tree,
-                                               int i) {
-  if (!tree || (i < 0) || (i >= tree->nlevel)) {
-    return NULL;
-  }
-  return tree->levels + i;
-}
-
-STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
-    const X509_POLICY_TREE *tree) {
-  if (!tree) {
-    return NULL;
-  }
-  return tree->auth_policies;
-}
-
-STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
-    const X509_POLICY_TREE *tree) {
-  if (!tree) {
-    return NULL;
-  }
-  if (tree->flags & POLICY_FLAG_ANY_POLICY) {
-    return tree->auth_policies;
-  } else {
-    return tree->user_policies;
-  }
-}
-
-// X509_POLICY_LEVEL stuff
-
-int X509_policy_level_node_count(X509_POLICY_LEVEL *level) {
-  int n;
-  if (!level) {
-    return 0;
-  }
-  if (level->anyPolicy) {
-    n = 1;
-  } else {
-    n = 0;
-  }
-  if (level->nodes) {
-    n += sk_X509_POLICY_NODE_num(level->nodes);
-  }
-  return n;
-}
-
-X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) {
-  if (!level) {
-    return NULL;
-  }
-  if (level->anyPolicy) {
-    if (i == 0) {
-      return level->anyPolicy;
-    }
-    i--;
-  }
-  return sk_X509_POLICY_NODE_value(level->nodes, i);
-}
-
-// X509_POLICY_NODE stuff
-
-const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) {
-  if (!node) {
-    return NULL;
-  }
-  return node->data->valid_policy;
-}
-
-STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
-    const X509_POLICY_NODE *node) {
-  if (!node) {
-    return NULL;
-  }
-  return node->data->qualifier_set;
-}
-
-const X509_POLICY_NODE *X509_policy_node_get0_parent(
-    const X509_POLICY_NODE *node) {
-  if (!node) {
-    return NULL;
-  }
-  return node->parent;
-}

crypto/x509v3/pcy_tree.c

@@ -811,7 +811,11 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
   }
 
   if (*pexplicit_policy) {
-    nodes = X509_policy_tree_get0_user_policies(tree);
+    if (tree->flags & POLICY_FLAG_ANY_POLICY) {
+      nodes = tree->auth_policies;
+    } else {
+      nodes = tree->user_policies;
+    }
     if (sk_X509_POLICY_NODE_num(nodes) <= 0) {
       return -2;
     }
@@ -820,8 +824,6 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
   return 1;
 
 error:
-
   X509_policy_tree_free(tree);
-
   return 0;
 }

include/openssl/base.h

@@ -364,10 +364,6 @@ typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS;
 typedef struct Netscape_spkac_st NETSCAPE_SPKAC;
 typedef struct Netscape_spki_st NETSCAPE_SPKI;
 typedef struct RIPEMD160state_st RIPEMD160_CTX;
-typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
-typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
-typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
-typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
 typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
 typedef struct X509_algor_st X509_ALGOR;
 typedef struct X509_crl_st X509_CRL;

include/openssl/x509.h

@@ -2660,10 +2660,6 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx,
 OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb(
     X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *));
 
-OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(
-    X509_STORE_CTX *ctx);
-OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
-
 OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(
     X509_STORE_CTX *ctx);
 OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx,
@@ -2729,37 +2725,6 @@ OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(
     const char *name);
 OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void);
 
-OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree,
-                                     int *pexplicit_policy,
-                                     STACK_OF(X509) *certs,
-                                     STACK_OF(ASN1_OBJECT) *policy_oids,
-                                     unsigned int flags);
-
-OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree);
-
-OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
-OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level(
-    const X509_POLICY_TREE *tree, int i);
-
-OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
-    const X509_POLICY_TREE *tree);
-
-OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
-    const X509_POLICY_TREE *tree);
-
-OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
-
-OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node(
-    X509_POLICY_LEVEL *level, int i);
-
-OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy(
-    const X509_POLICY_NODE *node);
-
-OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
-    const X509_POLICY_NODE *node);
-OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent(
-    const X509_POLICY_NODE *node);
-
 
 #if defined(__cplusplus)
 }  // extern C
@@ -2784,7 +2749,6 @@ BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free)
 BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free)
 BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free)
 BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free)
-BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free)
 BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free)
 BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free)
 BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free)

include/openssl/x509v3.h

@@ -906,10 +906,6 @@ OPENSSL_EXPORT int X509V3_NAME_from_section(X509_NAME *nm,
                                             STACK_OF(CONF_VALUE) *dn_sk,
                                             unsigned long chtype);
 
-OPENSSL_EXPORT void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node,
-                                           int indent);
-DEFINE_STACK_OF(X509_POLICY_NODE)
-
 // BEGIN ERROR CODES
 // The following lines are auto generated by the script mkerr.pl. Any changes
 // made after this point may be overwritten when the script is next run.