Remove X509_TRUST_DEFAULT

davidben · andrewhop · commit 01a0dcd008f8 · 2024-10-07T11:10:09.000-07:00
This is only used internally, for X509_PURPOSE_ANY to mark that it has no corresponding trust value. Countrary to the name, this doesn't mean to use the default X509_TRUST behavior, but to make it impossible to configure via X509_STORE_CTX_set_purpose. Since it's only used in one place, as any value that fails lookup, I've just put a local define in v3_purp.c. Change-Id: Id3e44c08528a303132ef09d0a94521af67cc2230 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65212 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> (cherry picked from commit 5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac)
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
@@ -94,6 +94,11 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
 
+// X509_TRUST_NONE is not a valid |X509_TRUST_*| constant. It is used by
+// |X509_PURPOSE_ANY| to indicate that it has no corresponding trust type and
+// cannot be used with |X509_STORE_CTX_set_purpose|.
+#define X509_TRUST_NONE (-1)
+
 static const X509_PURPOSE xstandard[] = {
     {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0,
      check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL},
@@ -109,7 +114,7 @@ static const X509_PURPOSE xstandard[] = {
      (char *)"smimeencrypt", NULL},
     {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign,
      (char *)"CRL signing", (char *)"crlsign", NULL},
-    {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, (char *)"Any Purpose",
+    {X509_PURPOSE_ANY, X509_TRUST_NONE, 0, no_check, (char *)"Any Purpose",
      (char *)"any", NULL},
     {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper,
      (char *)"OCSP helper", (char *)"ocsphelper", NULL},
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
@@ -4407,10 +4407,6 @@ struct x509_trust_st {
 
 DEFINE_STACK_OF(X509_TRUST)
 
-// standard trust ids
-
-#define X509_TRUST_DEFAULT (-1)  // Only valid in purpose settings
-
 OPENSSL_EXPORT const char *X509_get_default_cert_area(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_dir(void);
 OPENSSL_EXPORT const char *X509_get_default_cert_file(void);
