From 4a262d42bca0798451f52ed5e3c14681a54c09dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Mon, 13 Dec 2021 20:50:45 +0000 Subject: [PATCH] src: remove unused x509 functions These functions are currently not being used and their security should be audited before any potential future use. Co-authored-by: Akshay K Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/304 PR-URL: https://github.com/nodejs-private/node-private/pull/300 Reviewed-By: Michael Dawson Reviewed-By: Rich Trott --- src/crypto/crypto_common.cc | 70 ------------------------------------- src/crypto/crypto_common.h | 6 ---- 2 files changed, 76 deletions(-) diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc index cc03fddd464b09..c7b0691108a1a4 100644 --- a/src/crypto/crypto_common.cc +++ b/src/crypto/crypto_common.cc @@ -135,76 +135,6 @@ SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length) { return SSLSessionPointer(d2i_SSL_SESSION(nullptr, &buf, length)); } -std::unordered_multimap -GetCertificateAltNames(X509* cert) { - std::unordered_multimap map; - BIOPointer bio(BIO_new(BIO_s_mem())); - BUF_MEM* mem; - int idx = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); - if (idx < 0) // There is no subject alt name - return map; - - X509_EXTENSION* ext = X509_get_ext(cert, idx); - CHECK_NOT_NULL(ext); - const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext); - CHECK_EQ(method, X509V3_EXT_get_nid(NID_subject_alt_name)); - - GENERAL_NAMES* names = static_cast(X509V3_EXT_d2i(ext)); - if (names == nullptr) // There are no names - return map; - - for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) { - USE(BIO_reset(bio.get())); - GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i); - if (gen->type == GEN_DNS) { - ASN1_IA5STRING* name = gen->d.dNSName; - BIO_write(bio.get(), name->data, name->length); - BIO_get_mem_ptr(bio.get(), &mem); - map.emplace("dns", std::string(mem->data, mem->length)); - } else { - STACK_OF(CONF_VALUE)* nval = i2v_GENERAL_NAME( - const_cast(method), gen, nullptr); - if (nval == nullptr) - continue; - X509V3_EXT_val_prn(bio.get(), nval, 0, 0); - sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); - BIO_get_mem_ptr(bio.get(), &mem); - std::string value(mem->data, mem->length); - if (value.compare(0, 11, "IP Address:") == 0) { - map.emplace("ip", value.substr(11)); - } else if (value.compare(0, 4, "URI:") == 0) { - url::URL url(value.substr(4)); - if (url.flags() & url::URL_FLAGS_CANNOT_BE_BASE || - url.flags() & url::URL_FLAGS_FAILED) { - continue; // Skip this one - } - map.emplace("uri", url.host()); - } - } - } - sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); - return map; -} - -std::string GetCertificateCN(X509* cert) { - X509_NAME* subject = X509_get_subject_name(cert); - if (subject != nullptr) { - int nid = OBJ_txt2nid("CN"); - int idx = X509_NAME_get_index_by_NID(subject, nid, -1); - if (idx != -1) { - X509_NAME_ENTRY* cn = X509_NAME_get_entry(subject, idx); - if (cn != nullptr) { - ASN1_STRING* cn_str = X509_NAME_ENTRY_get_data(cn); - if (cn_str != nullptr) { - return std::string(reinterpret_cast( - ASN1_STRING_get0_data(cn_str))); - } - } - } - } - return std::string(); -} - long VerifyPeerCertificate( // NOLINT(runtime/int) const SSLPointer& ssl, long def) { // NOLINT(runtime/int) diff --git a/src/crypto/crypto_common.h b/src/crypto/crypto_common.h index 8b83d9fc2a7b17..2c578b7be435cb 100644 --- a/src/crypto/crypto_common.h +++ b/src/crypto/crypto_common.h @@ -9,7 +9,6 @@ #include #include -#include namespace node { namespace crypto { @@ -56,11 +55,6 @@ SSLSessionPointer GetTLSSession(v8::Local val); SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length); -std::unordered_multimap -GetCertificateAltNames(X509* cert); - -std::string GetCertificateCN(X509* cert); - long VerifyPeerCertificate( // NOLINT(runtime/int) const SSLPointer& ssl, long def = X509_V_ERR_UNSPECIFIED); // NOLINT(runtime/int)