Remove X509_TRUST_OCSP_SIGN and X509_TRUST_OCSP_REQUEST

These are unused and are the only options that remove the "compat" self-signed fallback. X509_TRUST_OCSP_REQUEST was intended for checking signed OCSP requests. While OpenSSL's OCSP implementation (which we've dropped) does attempt to configure it, it actually does nothing. They call X509_STORE_CTX_set_trust after X509_STORE_CTX_set_purpose, but X509_STORE_CTX_set_purpose already sets the trust parameter and X509_STORE_CTX_set_trust only acts when trust is not configured. X509_TRUST_OCSP_SIGN was briefly used in upstream's 30c278aa6bb614f4cfc5a26c7cbe66ad090f6896, by way of X509_PURPOSE_OCSP_HELPER, but then immediately undone in e9754726d236b74476cd0be5fa60acfef0c7024f. Change-Id: I6d2cf9b88a6b013e74fe95cd88f94051111086df Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65151 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
ValeriiaYevtushenkoDex · Jan 10, 2024 · 74bab4c · 74bab4c
1 parent 0beff26
commit 74bab4c
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 14 deletions.
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
@@ -67,7 +67,6 @@
 
 
 static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags);
-static int trust_1oid(const X509_TRUST *trust, X509 *x, int flags);
 static int trust_compat(const X509_TRUST *trust, X509 *x, int flags);
 
 static int obj_trust(int id, X509 *x, int flags);
@@ -82,10 +81,6 @@ static const X509_TRUST trstandard[] = {
      NID_email_protect, NULL},
     {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, (char *)"Object Signer",
      NID_code_sign, NULL},
-    {X509_TRUST_OCSP_SIGN, 0, trust_1oid, (char *)"OCSP responder",
-     NID_OCSP_sign, NULL},
-    {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, (char *)"OCSP request",
-     NID_ad_OCSP, NULL},
     {X509_TRUST_TSA, 0, trust_1oidany, (char *)"TSA server", NID_time_stamp,
      NULL}};
 
@@ -155,13 +150,6 @@ static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags) {
   return trust_compat(trust, x, flags);
 }
 
-static int trust_1oid(const X509_TRUST *trust, X509 *x, int flags) {
-  if (x->aux) {
-    return obj_trust(trust->arg1, x, flags);
-  }
-  return X509_TRUST_UNTRUSTED;
-}
-
 static int trust_compat(const X509_TRUST *trust, X509 *x, int flags) {
   if (!x509v3_cache_extensions(x)) {
     return X509_TRUST_UNTRUSTED;

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
@@ -3557,8 +3557,6 @@ DEFINE_STACK_OF(X509_TRUST)
 #define X509_TRUST_SSL_SERVER 3
 #define X509_TRUST_EMAIL 4
 #define X509_TRUST_OBJECT_SIGN 5
-#define X509_TRUST_OCSP_SIGN 6
-#define X509_TRUST_OCSP_REQUEST 7
 #define X509_TRUST_TSA 8
 
 // check_trust return codes