Skip to content

Commit

Permalink
src: remove unused x509 functions
Browse files Browse the repository at this point in the history
These functions are currently not being used and their security should
be audited before any potential future use.

Co-authored-by: Akshay K <iit.akshay@gmail.com>
Backport-PR-URL: nodejs-private/node-private#305
PR-URL: nodejs-private/node-private#300
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
  • Loading branch information
2 people authored and richardlau committed Jan 7, 2022
1 parent 51572ab commit b14be42
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 76 deletions.
70 changes: 0 additions & 70 deletions src/node_crypto_common.cc
Original file line number Diff line number Diff line change
Expand Up @@ -134,76 +134,6 @@ SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length) {
return SSLSessionPointer(d2i_SSL_SESSION(nullptr, &buf, length));
}

std::unordered_multimap<std::string, std::string>
GetCertificateAltNames(X509* cert) {
std::unordered_multimap<std::string, std::string> map;
BIOPointer bio(BIO_new(BIO_s_mem()));
BUF_MEM* mem;
int idx = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
if (idx < 0) // There is no subject alt name
return map;

X509_EXTENSION* ext = X509_get_ext(cert, idx);
CHECK_NOT_NULL(ext);
const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
CHECK_EQ(method, X509V3_EXT_get_nid(NID_subject_alt_name));

GENERAL_NAMES* names = static_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ext));
if (names == nullptr) // There are no names
return map;

for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) {
USE(BIO_reset(bio.get()));
GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i);
if (gen->type == GEN_DNS) {
ASN1_IA5STRING* name = gen->d.dNSName;
BIO_write(bio.get(), name->data, name->length);
BIO_get_mem_ptr(bio.get(), &mem);
map.emplace("dns", std::string(mem->data, mem->length));
} else {
STACK_OF(CONF_VALUE)* nval = i2v_GENERAL_NAME(
const_cast<X509V3_EXT_METHOD*>(method), gen, nullptr);
if (nval == nullptr)
continue;
X509V3_EXT_val_prn(bio.get(), nval, 0, 0);
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
BIO_get_mem_ptr(bio.get(), &mem);
std::string value(mem->data, mem->length);
if (value.compare(0, 11, "IP Address:") == 0) {
map.emplace("ip", value.substr(11));
} else if (value.compare(0, 4, "URI:") == 0) {
url::URL url(value.substr(4));
if (url.flags() & url::URL_FLAGS_CANNOT_BE_BASE ||
url.flags() & url::URL_FLAGS_FAILED) {
continue; // Skip this one
}
map.emplace("uri", url.host());
}
}
}
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
return map;
}

std::string GetCertificateCN(X509* cert) {
X509_NAME* subject = X509_get_subject_name(cert);
if (subject != nullptr) {
int nid = OBJ_txt2nid("CN");
int idx = X509_NAME_get_index_by_NID(subject, nid, -1);
if (idx != -1) {
X509_NAME_ENTRY* cn = X509_NAME_get_entry(subject, idx);
if (cn != nullptr) {
ASN1_STRING* cn_str = X509_NAME_ENTRY_get_data(cn);
if (cn_str != nullptr) {
return std::string(reinterpret_cast<const char*>(
ASN1_STRING_get0_data(cn_str)));
}
}
}
}
return std::string();
}

long VerifyPeerCertificate( // NOLINT(runtime/int)
const SSLPointer& ssl,
long def) { // NOLINT(runtime/int)
Expand Down
6 changes: 0 additions & 6 deletions src/node_crypto_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
#include <openssl/x509v3.h>

#include <string>
#include <unordered_map>

namespace node {
namespace crypto {
Expand Down Expand Up @@ -62,11 +61,6 @@ SSLSessionPointer GetTLSSession(v8::Local<v8::Value> val);

SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length);

std::unordered_multimap<std::string, std::string>
GetCertificateAltNames(X509* cert);

std::string GetCertificateCN(X509* cert);

long VerifyPeerCertificate( // NOLINT(runtime/int)
const SSLPointer& ssl,
long def = X509_V_ERR_UNSPECIFIED); // NOLINT(runtime/int)
Expand Down

0 comments on commit b14be42

Please sign in to comment.