Unexport most of X509_TRUST and X509_PURPOSE and simplify

X509_PURPOSE can't be fully trimmed because rust-openssl uses a few APIs to look up purposes by string. Change-Id: I39e3cec4d8b01ecf7dec1f368fabea4a82eff8e9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65788 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
11 months ago · 1b08502fe2
parent 5a1a5fbdb8
commit 1b08502fe2
6 changed files with 70 additions and 105 deletions
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@ -588,6 +588,13 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
 // |X509_NAME| issue is resolved.
 int X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid);

+int X509_TRUST_set(int *t, int trust);
+int X509_TRUST_get_by_id(int id);
+
+int X509_PURPOSE_set(int *p, int purpose);
+int X509_PURPOSE_get_by_id(int id);
+int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
+

 #if defined(__cplusplus)
 }  // extern C
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@ -68,6 +68,14 @@
 #include "../internal.h"
 #include "internal.h"

+
+struct x509_purpose_st {
+  int purpose;
+  int trust;  // Default trust ID
+  int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int);
+  const char *sname;
+} /* X509_PURPOSE */;
+
 #define V1_ROOT (EXFLAG_V1 | EXFLAG_SS)
 #define ku_reject(x, usage) \
  (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
@ -97,29 +105,24 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
 #define X509_TRUST_NONE (-1)

 static const X509_PURPOSE xstandard[] = {
-    {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0,
-     check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL},
-    {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0,
-     check_purpose_ssl_server, (char *)"SSL server", (char *)"sslserver", NULL},
-    {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0,
-     check_purpose_ns_ssl_server, (char *)"Netscape SSL server",
-     (char *)"nssslserver", NULL},
-    {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign,
-     (char *)"S/MIME signing", (char *)"smimesign", NULL},
-    {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0,
-     check_purpose_smime_encrypt, (char *)"S/MIME encryption",
-     (char *)"smimeencrypt", NULL},
-    {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign,
-     (char *)"CRL signing", (char *)"crlsign", NULL},
-    {X509_PURPOSE_ANY, X509_TRUST_NONE, 0, no_check, (char *)"Any Purpose",
-     (char *)"any", NULL},
+    {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, check_purpose_ssl_client,
+     "sslclient"},
+    {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, check_purpose_ssl_server,
+     "sslserver"},
+    {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER,
+     check_purpose_ns_ssl_server, "nssslserver"},
+    {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, check_purpose_smime_sign,
+     "smimesign"},
+    {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, check_purpose_smime_encrypt,
+     "smimeencrypt"},
+    {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, check_purpose_crl_sign,
+     "crlsign"},
+    {X509_PURPOSE_ANY, X509_TRUST_NONE, no_check, "any"},
    // |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP
    // implementation relied on the caller performing EKU and KU checks.
-    {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, no_check,
-     (char *)"OCSP helper", (char *)"ocsphelper", NULL},
-    {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0,
-     check_purpose_timestamp_sign, (char *)"Time Stamp signing",
-     (char *)"timestampsign", NULL},
+    {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, no_check, "ocsphelper"},
+    {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, check_purpose_timestamp_sign,
+     "timestampsign"},
 };

 int X509_check_purpose(X509 *x, int id, int ca) {
@ -156,8 +159,6 @@ int X509_PURPOSE_set(int *p, int purpose) {
  return 1;
 }

-int X509_PURPOSE_get_count(void) { return OPENSSL_ARRAY_SIZE(xstandard); }
-
 const X509_PURPOSE *X509_PURPOSE_get0(int idx) {
  if (idx < 0 || (size_t)idx >= OPENSSL_ARRAY_SIZE(xstandard)) {
    return NULL;
@ -166,9 +167,8 @@ const X509_PURPOSE *X509_PURPOSE_get0(int idx) {
 }

 int X509_PURPOSE_get_by_sname(const char *sname) {
-  const X509_PURPOSE *xptmp;
-  for (int i = 0; i < X509_PURPOSE_get_count(); i++) {
-    xptmp = X509_PURPOSE_get0(i);
+  for (int i = 0; i < (int)OPENSSL_ARRAY_SIZE(xstandard); i++) {
+    const X509_PURPOSE *xptmp = X509_PURPOSE_get0(i);
    if (!strcmp(xptmp->sname, sname)) {
      return i;
    }
@ -189,10 +189,6 @@ int X509_PURPOSE_get_by_id(int purpose) {

 int X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; }

-char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp) { return xp->name; }
-
-char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp) { return xp->sname; }
-
 int X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; }

 int X509_supported_extension(const X509_EXTENSION *ex) {
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@ -7721,6 +7721,15 @@ TEST(X509Test, Trust) {
             {intermediate.normal.get()}, {}, /*flags=*/0, set_server_trust));
 }

+// Test some APIs that rust-openssl uses to look up purposes by name.
+TEST(X509Test, PurposeByShortName) {
+  int idx = X509_PURPOSE_get_by_sname("sslserver");
+  ASSERT_NE(idx, -1);
+  const X509_PURPOSE *purpose = X509_PURPOSE_get0(idx);
+  ASSERT_TRUE(purpose);
+  EXPECT_EQ(X509_PURPOSE_get_id(purpose), X509_PURPOSE_SSL_SERVER);
+}
+
 TEST(X509Test, CriticalExtension) {
  bssl::UniquePtr<EVP_PKEY> key = PrivateKeyFromPEM(kP256Key);
  ASSERT_TRUE(key);
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@ -66,23 +66,28 @@
 #include "internal.h"


+typedef struct x509_trust_st X509_TRUST;
+
+struct x509_trust_st {
+  int trust;
+  int (*check_trust)(const X509_TRUST *, X509 *, int);
+  int nid;
+} /* X509_TRUST */;
+
+static const X509_TRUST *X509_TRUST_get0(int idx);
+
 static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags);
 static int trust_compat(const X509_TRUST *trust, X509 *x, int flags);

 static int obj_trust(int id, X509 *x, int flags);

 static const X509_TRUST trstandard[] = {
-    {X509_TRUST_COMPAT, 0, trust_compat, (char *)"compatible", 0, NULL},
-    {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, (char *)"SSL Client",
-     NID_client_auth, NULL},
-    {X509_TRUST_SSL_SERVER, 0, trust_1oidany, (char *)"SSL Server",
-     NID_server_auth, NULL},
-    {X509_TRUST_EMAIL, 0, trust_1oidany, (char *)"S/MIME email",
-     NID_email_protect, NULL},
-    {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, (char *)"Object Signer",
-     NID_code_sign, NULL},
-    {X509_TRUST_TSA, 0, trust_1oidany, (char *)"TSA server", NID_time_stamp,
-     NULL}};
+    {X509_TRUST_COMPAT, trust_compat, 0},
+    {X509_TRUST_SSL_CLIENT, trust_1oidany, NID_client_auth},
+    {X509_TRUST_SSL_SERVER, trust_1oidany, NID_server_auth},
+    {X509_TRUST_EMAIL, trust_1oidany, NID_email_protect},
+    {X509_TRUST_OBJECT_SIGN, trust_1oidany, NID_code_sign},
+    {X509_TRUST_TSA, trust_1oidany, NID_time_stamp}};

 int X509_check_trust(X509 *x, int id, int flags) {
  if (id == -1) {
@ -104,9 +109,7 @@ int X509_check_trust(X509 *x, int id, int flags) {
  return pt->check_trust(pt, x, flags);
 }

-int X509_TRUST_get_count(void) { return OPENSSL_ARRAY_SIZE(trstandard); }
-
-const X509_TRUST *X509_TRUST_get0(int idx) {
+static const X509_TRUST *X509_TRUST_get0(int idx) {
  if (idx < 0 || (size_t)idx >= OPENSSL_ARRAY_SIZE(trstandard)) {
    return NULL;
  }
@ -133,15 +136,9 @@ int X509_TRUST_set(int *t, int trust) {
  return 1;
 }

-int X509_TRUST_get_flags(const X509_TRUST *xp) { return xp->flags; }
-
-char *X509_TRUST_get0_name(const X509_TRUST *xp) { return xp->name; }
-
-int X509_TRUST_get_trust(const X509_TRUST *xp) { return xp->trust; }
-
 static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags) {
  if (x->aux && (x->aux->trust || x->aux->reject)) {
-    return obj_trust(trust->arg1, x, flags);
+    return obj_trust(trust->nid, x, flags);
  }
  // we don't have any trust settings: for compatibility we return trusted
  // if it is self signed
@ -160,24 +157,21 @@ static int trust_compat(const X509_TRUST *trust, X509 *x, int flags) {
 }

 static int obj_trust(int id, X509 *x, int flags) {
-  ASN1_OBJECT *obj;
-  size_t i;
-  X509_CERT_AUX *ax;
-  ax = x->aux;
+  X509_CERT_AUX *ax = x->aux;
  if (!ax) {
    return X509_TRUST_UNTRUSTED;
  }
  if (ax->reject) {
-    for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
-      obj = sk_ASN1_OBJECT_value(ax->reject, i);
+    for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
+      const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i);
      if (OBJ_obj2nid(obj) == id) {
        return X509_TRUST_REJECTED;
      }
    }
  }
  if (ax->trust) {
-    for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
-      obj = sk_ASN1_OBJECT_value(ax->trust, i);
+    for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
+      const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i);
      if (OBJ_obj2nid(obj) == id) {
        return X509_TRUST_TRUSTED;
      }
--- a/include/openssl/base.h
+++ b/include/openssl/base.h
@ -378,11 +378,11 @@ typedef struct x509_attributes_st X509_ATTRIBUTE;
 typedef struct x509_lookup_st X509_LOOKUP;
 typedef struct x509_lookup_method_st X509_LOOKUP_METHOD;
 typedef struct x509_object_st X509_OBJECT;
+typedef struct x509_purpose_st X509_PURPOSE;
 typedef struct x509_revoked_st X509_REVOKED;
 typedef struct x509_st X509;
 typedef struct x509_store_ctx_st X509_STORE_CTX;
 typedef struct x509_store_st X509_STORE;
-typedef struct x509_trust_st X509_TRUST;

 typedef void *OPENSSL_BLOCK;

--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@ -655,14 +655,14 @@ OPENSSL_EXPORT const uint8_t *X509_keyid_get0(const X509 *x509, int *out_len);

 // X509_add1_trust_object configures |x509| as a valid trust anchor for |obj|.
 // It returns one on success and zero on error. |obj| should be a certificate
-// usage OID associated with an |X509_TRUST| object.
+// usage OID associated with an |X509_TRUST_*| constant.
 //
 // See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated.
 OPENSSL_EXPORT int X509_add1_trust_object(X509 *x509, const ASN1_OBJECT *obj);

 // X509_add1_reject_object configures |x509| as distrusted for |obj|. It returns
 // one on success and zero on error. |obj| should be a certificate usage OID
-// associated with an |X509_TRUST| object.
+// associated with an |X509_TRUST_*| constant.
 //
 // See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated.
 OPENSSL_EXPORT int X509_add1_reject_object(X509 *x509, const ASN1_OBJECT *obj);
@ -4331,19 +4331,6 @@ struct X509_algor_st {

 DECLARE_STACK_OF(DIST_POINT)

-// This is used for a table of trust checking functions
-
-struct x509_trust_st {
-  int trust;
-  int flags;
-  int (*check_trust)(const X509_TRUST *, X509 *, int);
-  char *name;
-  int arg1;
-  void *arg2;
-} /* X509_TRUST */;
-
-DEFINE_STACK_OF(X509_TRUST)
-
 OPENSSL_EXPORT const char *X509_get_default_cert_area(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_dir(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_file(void);
@ -4352,8 +4339,6 @@ OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void);
 OPENSSL_EXPORT const char *X509_get_default_private_dir(void);


-OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust);
-
 OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b);

 // X509_NAME_hash returns a hash of |name|, or zero on error. This is the new
@ -4384,13 +4369,6 @@ OPENSSL_EXPORT uint32_t X509_NAME_hash_old(X509_NAME *name);

 OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);

-OPENSSL_EXPORT int X509_TRUST_get_count(void);
-OPENSSL_EXPORT const X509_TRUST *X509_TRUST_get0(int idx);
-OPENSSL_EXPORT int X509_TRUST_get_by_id(int id);
-OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp);
-OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp);
-OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp);
-

 /*
 SSL_CTX -> X509_STORE
@ -4682,18 +4660,6 @@ struct ISSUING_DIST_POINT_st {
 #define NS_OBJSIGN_CA 0x01
 #define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA)

-typedef struct x509_purpose_st {
-  int purpose;
-  int trust;  // Default trust ID
-  int flags;
-  int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int);
-  char *name;
-  char *sname;
-  void *usr_data;
-} X509_PURPOSE;
-
-DEFINE_STACK_OF(X509_PURPOSE)
-
 DECLARE_ASN1_FUNCTIONS_const(BASIC_CONSTRAINTS)

 // TODO(https://crbug.com/boringssl/407): This is not const because it contains
@ -4893,16 +4859,9 @@ OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit,
 OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid,
                                   void *value, int crit, unsigned long flags);

-OPENSSL_EXPORT int X509_PURPOSE_set(int *p, int purpose);
-
-OPENSSL_EXPORT int X509_PURPOSE_get_count(void);
-OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int idx);
 OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname);
-OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id);
-OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
-OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
-OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
-OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *);
+OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int idx);
+OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *purpose);


 #if defined(__cplusplus)