Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
src: remove unused x509 functions
These functions are currently not being used and their security should
be audited before any potential future use.

Co-authored-by: Akshay K <iit.akshay@gmail.com>
Backport-PR-URL: nodejs-private/node-private#304
PR-URL: nodejs-private/node-private#300
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
  • Loading branch information
2 people authored and danielleadams committed Jan 10, 2022
1 parent 8dd4ca4 commit 4a262d4
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 76 deletions.
70 changes: 0 additions & 70 deletions src/crypto/crypto_common.cc
Expand Up @@ -135,76 +135,6 @@ SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length) {
return SSLSessionPointer(d2i_SSL_SESSION(nullptr, &buf, length));
}

std::unordered_multimap<std::string, std::string>
GetCertificateAltNames(X509* cert) {
std::unordered_multimap<std::string, std::string> map;
BIOPointer bio(BIO_new(BIO_s_mem()));
BUF_MEM* mem;
int idx = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
if (idx < 0) // There is no subject alt name
return map;

X509_EXTENSION* ext = X509_get_ext(cert, idx);
CHECK_NOT_NULL(ext);
const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
CHECK_EQ(method, X509V3_EXT_get_nid(NID_subject_alt_name));

GENERAL_NAMES* names = static_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ext));
if (names == nullptr) // There are no names
return map;

for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) {
USE(BIO_reset(bio.get()));
GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i);
if (gen->type == GEN_DNS) {
ASN1_IA5STRING* name = gen->d.dNSName;
BIO_write(bio.get(), name->data, name->length);
BIO_get_mem_ptr(bio.get(), &mem);
map.emplace("dns", std::string(mem->data, mem->length));
} else {
STACK_OF(CONF_VALUE)* nval = i2v_GENERAL_NAME(
const_cast<X509V3_EXT_METHOD*>(method), gen, nullptr);
if (nval == nullptr)
continue;
X509V3_EXT_val_prn(bio.get(), nval, 0, 0);
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
BIO_get_mem_ptr(bio.get(), &mem);
std::string value(mem->data, mem->length);
if (value.compare(0, 11, "IP Address:") == 0) {
map.emplace("ip", value.substr(11));
} else if (value.compare(0, 4, "URI:") == 0) {
url::URL url(value.substr(4));
if (url.flags() & url::URL_FLAGS_CANNOT_BE_BASE ||
url.flags() & url::URL_FLAGS_FAILED) {
continue; // Skip this one
}
map.emplace("uri", url.host());
}
}
}
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
return map;
}

std::string GetCertificateCN(X509* cert) {
X509_NAME* subject = X509_get_subject_name(cert);
if (subject != nullptr) {
int nid = OBJ_txt2nid("CN");
int idx = X509_NAME_get_index_by_NID(subject, nid, -1);
if (idx != -1) {
X509_NAME_ENTRY* cn = X509_NAME_get_entry(subject, idx);
if (cn != nullptr) {
ASN1_STRING* cn_str = X509_NAME_ENTRY_get_data(cn);
if (cn_str != nullptr) {
return std::string(reinterpret_cast<const char*>(
ASN1_STRING_get0_data(cn_str)));
}
}
}
}
return std::string();
}

long VerifyPeerCertificate( // NOLINT(runtime/int)
const SSLPointer& ssl,
long def) { // NOLINT(runtime/int)
Expand Down
6 changes: 0 additions & 6 deletions src/crypto/crypto_common.h
Expand Up @@ -9,7 +9,6 @@
#include <openssl/x509v3.h>

#include <string>
#include <unordered_map>

namespace node {
namespace crypto {
Expand Down Expand Up @@ -56,11 +55,6 @@ SSLSessionPointer GetTLSSession(v8::Local<v8::Value> val);

SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length);

std::unordered_multimap<std::string, std::string>
GetCertificateAltNames(X509* cert);

std::string GetCertificateCN(X509* cert);

long VerifyPeerCertificate( // NOLINT(runtime/int)
const SSLPointer& ssl,
long def = X509_V_ERR_UNSPECIFIED); // NOLINT(runtime/int)
Expand Down

0 comments on commit 4a262d4

Please sign in to comment.