Skip to content

Commit

Permalink
src: remove unused x509 functions
Browse files Browse the repository at this point in the history
These functions are currently not being used and their security should
be audited before any potential future use.

Co-authored-by: Akshay K <[email protected]>
Backport-PR-URL: nodejs-private/node-private#304
PR-URL: nodejs-private/node-private#300
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
  • Loading branch information
2 people authored and danielleadams committed Jan 10, 2022
1 parent 8dd4ca4 commit 4a262d4
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 76 deletions.
70 changes: 0 additions & 70 deletions src/crypto/crypto_common.cc
Original file line number Diff line number Diff line change
Expand Up @@ -135,76 +135,6 @@ SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length) {
return SSLSessionPointer(d2i_SSL_SESSION(nullptr, &buf, length));
}

std::unordered_multimap<std::string, std::string>
GetCertificateAltNames(X509* cert) {
std::unordered_multimap<std::string, std::string> map;
BIOPointer bio(BIO_new(BIO_s_mem()));
BUF_MEM* mem;
int idx = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
if (idx < 0) // There is no subject alt name
return map;

X509_EXTENSION* ext = X509_get_ext(cert, idx);
CHECK_NOT_NULL(ext);
const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
CHECK_EQ(method, X509V3_EXT_get_nid(NID_subject_alt_name));

GENERAL_NAMES* names = static_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ext));
if (names == nullptr) // There are no names
return map;

for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) {
USE(BIO_reset(bio.get()));
GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i);
if (gen->type == GEN_DNS) {
ASN1_IA5STRING* name = gen->d.dNSName;
BIO_write(bio.get(), name->data, name->length);
BIO_get_mem_ptr(bio.get(), &mem);
map.emplace("dns", std::string(mem->data, mem->length));
} else {
STACK_OF(CONF_VALUE)* nval = i2v_GENERAL_NAME(
const_cast<X509V3_EXT_METHOD*>(method), gen, nullptr);
if (nval == nullptr)
continue;
X509V3_EXT_val_prn(bio.get(), nval, 0, 0);
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
BIO_get_mem_ptr(bio.get(), &mem);
std::string value(mem->data, mem->length);
if (value.compare(0, 11, "IP Address:") == 0) {
map.emplace("ip", value.substr(11));
} else if (value.compare(0, 4, "URI:") == 0) {
url::URL url(value.substr(4));
if (url.flags() & url::URL_FLAGS_CANNOT_BE_BASE ||
url.flags() & url::URL_FLAGS_FAILED) {
continue; // Skip this one
}
map.emplace("uri", url.host());
}
}
}
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
return map;
}

std::string GetCertificateCN(X509* cert) {
X509_NAME* subject = X509_get_subject_name(cert);
if (subject != nullptr) {
int nid = OBJ_txt2nid("CN");
int idx = X509_NAME_get_index_by_NID(subject, nid, -1);
if (idx != -1) {
X509_NAME_ENTRY* cn = X509_NAME_get_entry(subject, idx);
if (cn != nullptr) {
ASN1_STRING* cn_str = X509_NAME_ENTRY_get_data(cn);
if (cn_str != nullptr) {
return std::string(reinterpret_cast<const char*>(
ASN1_STRING_get0_data(cn_str)));
}
}
}
}
return std::string();
}

long VerifyPeerCertificate( // NOLINT(runtime/int)
const SSLPointer& ssl,
long def) { // NOLINT(runtime/int)
Expand Down
6 changes: 0 additions & 6 deletions src/crypto/crypto_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
#include <openssl/x509v3.h>

#include <string>
#include <unordered_map>

namespace node {
namespace crypto {
Expand Down Expand Up @@ -56,11 +55,6 @@ SSLSessionPointer GetTLSSession(v8::Local<v8::Value> val);

SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length);

std::unordered_multimap<std::string, std::string>
GetCertificateAltNames(X509* cert);

std::string GetCertificateCN(X509* cert);

long VerifyPeerCertificate( // NOLINT(runtime/int)
const SSLPointer& ssl,
long def = X509_V_ERR_UNSPECIFIED); // NOLINT(runtime/int)
Expand Down

0 comments on commit 4a262d4

Please sign in to comment.