src: remove unused x509 functions

These functions are currently not being used and their security should be audited before any potential future use. Co-authored-by: Akshay K <iit.akshay@gmail.com> Backport-PR-URL: nodejs-private/node-private#305 PR-URL: nodejs-private/node-private#300 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
nodejs · Jan 7, 2022 · b14be42 · b14be42
1 parent 51572ab
commit b14be42
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 76 deletions.
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
@@ -134,76 +134,6 @@ SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length) {
   return SSLSessionPointer(d2i_SSL_SESSION(nullptr, &buf, length));
 }
 
-std::unordered_multimap<std::string, std::string>
-GetCertificateAltNames(X509* cert) {
-  std::unordered_multimap<std::string, std::string> map;
-  BIOPointer bio(BIO_new(BIO_s_mem()));
-  BUF_MEM* mem;
-  int idx = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
-  if (idx < 0)  // There is no subject alt name
-    return map;
-
-  X509_EXTENSION* ext = X509_get_ext(cert, idx);
-  CHECK_NOT_NULL(ext);
-  const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
-  CHECK_EQ(method, X509V3_EXT_get_nid(NID_subject_alt_name));
-
-  GENERAL_NAMES* names = static_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ext));
-  if (names == nullptr)  // There are no names
-    return map;
-
-  for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) {
-    USE(BIO_reset(bio.get()));
-    GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i);
-    if (gen->type == GEN_DNS) {
-      ASN1_IA5STRING* name = gen->d.dNSName;
-      BIO_write(bio.get(), name->data, name->length);
-      BIO_get_mem_ptr(bio.get(), &mem);
-      map.emplace("dns", std::string(mem->data, mem->length));
-    } else {
-      STACK_OF(CONF_VALUE)* nval = i2v_GENERAL_NAME(
-          const_cast<X509V3_EXT_METHOD*>(method), gen, nullptr);
-      if (nval == nullptr)
-        continue;
-      X509V3_EXT_val_prn(bio.get(), nval, 0, 0);
-      sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
-      BIO_get_mem_ptr(bio.get(), &mem);
-      std::string value(mem->data, mem->length);
-      if (value.compare(0, 11, "IP Address:") == 0) {
-        map.emplace("ip", value.substr(11));
-      } else if (value.compare(0, 4, "URI:") == 0) {
-        url::URL url(value.substr(4));
-        if (url.flags() & url::URL_FLAGS_CANNOT_BE_BASE ||
-            url.flags() & url::URL_FLAGS_FAILED) {
-          continue;  // Skip this one
-        }
-        map.emplace("uri", url.host());
-      }
-    }
-  }
-  sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
-  return map;
-}
-
-std::string GetCertificateCN(X509* cert) {
-  X509_NAME* subject = X509_get_subject_name(cert);
-  if (subject != nullptr) {
-    int nid = OBJ_txt2nid("CN");
-    int idx = X509_NAME_get_index_by_NID(subject, nid, -1);
-    if (idx != -1) {
-      X509_NAME_ENTRY* cn = X509_NAME_get_entry(subject, idx);
-      if (cn != nullptr) {
-        ASN1_STRING* cn_str = X509_NAME_ENTRY_get_data(cn);
-        if (cn_str != nullptr) {
-          return std::string(reinterpret_cast<const char*>(
-              ASN1_STRING_get0_data(cn_str)));
-        }
-      }
-    }
-  }
-  return std::string();
-}
-
 long VerifyPeerCertificate(  // NOLINT(runtime/int)
     const SSLPointer& ssl,
     long def) {  // NOLINT(runtime/int)

diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h
@@ -9,7 +9,6 @@
 #include <openssl/x509v3.h>
 
 #include <string>
-#include <unordered_map>
 
 namespace node {
 namespace crypto {
@@ -62,11 +61,6 @@ SSLSessionPointer GetTLSSession(v8::Local<v8::Value> val);
 
 SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length);
 
-std::unordered_multimap<std::string, std::string>
-GetCertificateAltNames(X509* cert);
-
-std::string GetCertificateCN(X509* cert);
-
 long VerifyPeerCertificate(  // NOLINT(runtime/int)
     const SSLPointer& ssl,
     long def = X509_V_ERR_UNSPECIFIED);  // NOLINT(runtime/int)