Deprecate all recently added PKCS7 functions

aws · Dec 6, 2024 · 995896e · 995896e
1 parent f66e6ef
commit 995896e
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 67 deletions.
diff --git a/crypto/pkcs7/pkcs7.c b/crypto/pkcs7/pkcs7.c
@@ -29,7 +29,6 @@
 #include "../internal.h"
 #include "internal.h"
 
-// TODO remove all other usages of OPENSSL_BEGIN_ALLOW_DEPRECATED in this file
 OPENSSL_BEGIN_ALLOW_DEPRECATED
 
 // 1.2.840.113549.1.7.1
@@ -815,9 +814,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) {
       goto err;
     }
     BIO_set_mem_eof_return(bio, /*eof_value*/ 0);
-    OPENSSL_BEGIN_ALLOW_DEPRECATED
     if (!PKCS7_is_detached(p7) && content && content->length > 0) {
-      OPENSSL_END_ALLOW_DEPRECATED
       // |bio |needs a copy of |os->data| instead of a pointer because the data
       // will be used after |os |has been freed
       if (BIO_write(bio, content->data, content->length) != content->length) {
@@ -838,9 +835,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) {
   return NULL;
 }
 
-OPENSSL_BEGIN_ALLOW_DEPRECATED
 int PKCS7_is_detached(PKCS7 *p7) {
-  OPENSSL_END_ALLOW_DEPRECATED
   GUARD_PTR(p7);
   if (PKCS7_type_is_signed(p7)) {
     return (p7->d.sign == NULL || p7->d.sign->contents->d.ptr == NULL);
@@ -958,11 +953,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) {
     case NID_pkcs7_signed:
       si_sk = p7->d.sign->signer_info;
       // clang-format off
-OPENSSL_BEGIN_ALLOW_DEPRECATED
       content = PKCS7_get_octet_string(p7->d.sign->contents);
       // If detached data then the content is excluded
       if (PKCS7_type_is_data(p7->d.sign->contents) && PKCS7_is_detached(p7)) {
-OPENSSL_END_ALLOW_DEPRECATED
         // clang-format on
         ASN1_OCTET_STRING_free(content);
         content = NULL;
@@ -973,9 +966,7 @@ OPENSSL_END_ALLOW_DEPRECATED
     case NID_pkcs7_digest:
       content = PKCS7_get_octet_string(p7->d.digest->contents);
       // If detached data, then the content is excluded
-      OPENSSL_BEGIN_ALLOW_DEPRECATED
       if (PKCS7_type_is_data(p7->d.digest->contents) && PKCS7_is_detached(p7)) {
-        OPENSSL_END_ALLOW_DEPRECATED
         ASN1_OCTET_STRING_free(content);
         content = NULL;
         p7->d.digest->contents->d.data = NULL;
@@ -1032,9 +1023,7 @@ OPENSSL_END_ALLOW_DEPRECATED
     }
   }
 
-  OPENSSL_BEGIN_ALLOW_DEPRECATED
   if (!PKCS7_is_detached(p7)) {
-    OPENSSL_END_ALLOW_DEPRECATED
     if (content == NULL) {
       goto err;
     }
@@ -1087,9 +1076,7 @@ int pkcs7_final(PKCS7 *p7, BIO *data) {
   BIO *p7bio;
   int ret = 0;
 
-  OPENSSL_BEGIN_ALLOW_DEPRECATED
   if ((p7bio = PKCS7_dataInit(p7, NULL)) == NULL) {
-    OPENSSL_END_ALLOW_DEPRECATED
     OPENSSL_PUT_ERROR(PKCS7, ERR_R_PKCS7_LIB);
     goto err;
   }
@@ -1098,9 +1085,7 @@ int pkcs7_final(PKCS7 *p7, BIO *data) {
     goto err;
   }
 
-  OPENSSL_BEGIN_ALLOW_DEPRECATED
   if (!PKCS7_dataFinal(p7, p7bio)) {
-    OPENSSL_END_ALLOW_DEPRECATED
     OPENSSL_PUT_ERROR(PKCS7, ERR_R_PKCS7_LIB);
     goto err;
   }
@@ -1134,9 +1119,7 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
 
   for (size_t i = 0; i < sk_X509_num(certs); i++) {
     x509 = sk_X509_value(certs, i);
-    OPENSSL_BEGIN_ALLOW_DEPRECATED
     if (!PKCS7_add_recipient(p7, x509)) {
-      OPENSSL_END_ALLOW_DEPRECATED
       OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_ERROR_ADDING_RECIPIENT);
       goto err;
     }

diff --git a/crypto/pkcs7/pkcs7_test.cc b/crypto/pkcs7/pkcs7_test.cc
@@ -1526,7 +1526,6 @@ TEST(PKCS7Test, GettersSetters) {
   X509_ALGOR *md_alg2 = X509_ALGOR_new();
   X509_ALGOR_set_md(md_alg2, EVP_sha256());
   sk_X509_ALGOR_push(p7->d.sign->md_algs, md_alg2);
-
   p7si = PKCS7_SIGNER_INFO_new();
   ASSERT_TRUE(p7si);
   EXPECT_TRUE(PKCS7_SIGNER_INFO_set(p7si, ecdsa_x509.get(), ecdsa_pkey.get(),

diff --git a/crypto/pkcs7/pkcs7_x509.c b/crypto/pkcs7/pkcs7_x509.c
@@ -29,6 +29,7 @@
 #include "../internal.h"
 #include "internal.h"
 
+OPENSSL_BEGIN_ALLOW_DEPRECATED
 
 int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
   int ret = 0;
@@ -592,3 +593,5 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) {
   X509_CRL_up_ref(crl);
   return 1;
 }
+
+OPENSSL_END_ALLOW_DEPRECATED
diff --git a/include/openssl/pkcs7.h b/include/openssl/pkcs7.h
@@ -101,6 +101,36 @@ OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,
 OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
                                       BIO *pem_bio);
 
+// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|.  If
+// the length of the object is indefinite the full contents of |bio| are read.
+//
+// If the function fails then some unknown amount of data may have been read
+// from |bio|.
+OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out);
+
+// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on
+// error.
+OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7);
+
+// PKCS7_type_is_data returns 1 if |p7| is of type data
+OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7);
+
+// PKCS7_type_is_digest returns 1 if |p7| is of type digest
+OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7);
+
+// PKCS7_type_is_encrypted returns 1 if |p7| is of type encrypted
+OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7);
+
+// PKCS7_type_is_enveloped returns 1 if |p7| is of type enveloped
+OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7);
+
+// PKCS7_type_is_signed returns 1 if |p7| is of type signed
+OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7);
+
+// PKCS7_type_is_signedAndEnveloped returns 1 if |p7| is of type
+// signedAndEnveloped
+OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7);
+
 
 // Deprecated functions.
 //
@@ -261,108 +291,84 @@ DEFINE_STACK_OF(PKCS7_SIGNER_INFO)
 
 // PKCS7_dup returns a newly allocated copy of |p7| without deep-copying
 // internal references.
-OPENSSL_EXPORT PKCS7 *PKCS7_dup(PKCS7 *p7);
-
-// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|.  If
-// the length of the object is indefinite the full contents of |bio| are read.
-//
-// If the function fails then some unknown amount of data may have been read
-// from |bio|.
-OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out);
-
-// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on
-// error.
-OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7);
+OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7 *PKCS7_dup(PKCS7 *p7);
 
 // PKCS7_get_signed_attribute returns a pointer to the first signed attribute
 // from |si| with NID |nid| if one is present, else NULL.
-OPENSSL_EXPORT ASN1_TYPE *PKCS7_get_signed_attribute(
+OPENSSL_EXPORT OPENSSL_DEPRECATED ASN1_TYPE *PKCS7_get_signed_attribute(
     const PKCS7_SIGNER_INFO *si, int nid);
 
 // PKCS7_get_signer_info returns |p7|'s attached PKCS7_SIGNER_INFO if present
 // and |p7| is of a relevant type, else NULL. This function only pertains to
 // signedData and signedAndEnvelopedData.
-OPENSSL_EXPORT STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
+OPENSSL_EXPORT OPENSSL_DEPRECATED STACK_OF(PKCS7_SIGNER_INFO) *
+PKCS7_get_signer_info(PKCS7 *p7);
 
 // PKCS7_RECIP_INFO_set attaches |x509| to |p7i| and increments |x509|'s
 // reference count. It returns 1 on success and 0 on failure or if |x509|'s
 // public key not usable for encryption.
-OPENSSL_EXPORT int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_RECIP_INFO_set(
+    PKCS7_RECIP_INFO *p7i, X509 *x509);
 
 // PKCS7_SIGNER_INFO_set attaches the other parameters to |p7i|, returning 1 on
 // success and 0 on error or if specified parameters are inapplicable to
 // signing. Only EC, DH, and RSA |pkey|s are supported. |pkey|'s reference
 // count is incremented, but neither |x509|'s nor |dgst|'s is.
-OPENSSL_EXPORT int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509,
-                                         EVP_PKEY *pkey, const EVP_MD *dgst);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_SIGNER_INFO_set(
+    PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, const EVP_MD *dgst);
 
 // PKCS7_add_certificate adds |x509| to |p7|'s certificate stack, incrementing
 // |x509|'s reference count.  It returns 1 on success and 0 on failure or if
 // |p7| isn't of an applicable type: signedData and signedAndEnvelopedData.
-OPENSSL_EXPORT int PKCS7_add_certificate(PKCS7 *p7, X509 *x509);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_certificate(PKCS7 *p7,
+                                                            X509 *x509);
 
 // PKCS7_add_crl adds |x509| to |p7|'s CRL stack, incrementing |x509|'s
 // reference count. It returns 1 on success and 0 on failure or if |p7| isn't
 // of an applicable type: signedData and signedAndEnvelopedData.
-OPENSSL_EXPORT int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
 
 // PKCS7_add_recipient_info adds |ri| to |p7|, returning 1 on succes or 0 if
 // |p7| is of an inapplicable type: envelopedData and signedAndEnvelopedData.
-OPENSSL_EXPORT int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_recipient_info(
+    PKCS7 *p7, PKCS7_RECIP_INFO *ri);
 
 // PKCS7_add_signer adds |p7i| to |p7|, returning 1 on succes or 0 if
 // |p7| is of an inapplicable type: signedData and signedAndEnvelopedData.
-OPENSSL_EXPORT int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_signer(PKCS7 *p7,
+                                                       PKCS7_SIGNER_INFO *p7i);
 
 // PKCS7_content_new allocates a new PKCS7 and adds it to |p7| as content. It
 // returns 1 on success and 0 on failure.
-OPENSSL_EXPORT int PKCS7_content_new(PKCS7 *p7, int nid);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_content_new(PKCS7 *p7, int nid);
 
 // PKCS7_set_content sets |p7_data| as content on |p7| for applicable types of
 // |p7|. It frees any existing content on |p7|, returning 1 on success and 0 on
 // failure.
-OPENSSL_EXPORT int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_content(PKCS7 *p7,
+                                                        PKCS7 *p7_data);
 
 // PKCS7_set_content sets |p7_data| as content on |p7| for applicable types of
 // |p7|: signedData and digestData. |p7_data| may be NULL. It frees any
 // existing content on |p7|, returning 1 on success and 0 on failure.
-OPENSSL_EXPORT int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_cipher(
+    PKCS7 *p7, const EVP_CIPHER *cipher);
 
 // PKCS7_set_type instantiates |p7| as type |type|. It returns 1 on success and
 // 0 on failure or if |type| is not a valid PKCS7 content type.
-OPENSSL_EXPORT int PKCS7_set_type(PKCS7 *p7, int type);
+OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_type(PKCS7 *p7, int type);
 
 // PKCS7_RECIP_INFO_get0_alg sets |*penc| to |ri|'s key encryption algorithm,
 // if present. Ownership of |*penc| is retained by |ri|.
-OPENSSL_EXPORT void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri,
-                                              X509_ALGOR **penc);
+OPENSSL_EXPORT OPENSSL_DEPRECATED void PKCS7_RECIP_INFO_get0_alg(
+    PKCS7_RECIP_INFO *ri, X509_ALGOR **penc);
 
 // PKCS7_SIGNER_INFO_get0_algs sets all of, if present: |*pk| to |si|'s key,
 // |*pdig| to |si|'s digest angorithm, and |*psig| to |si|'s signature
 // algorithm. Ownership of |*pk|, |*pdig|, and |*psig) is retained by |si|.
-OPENSSL_EXPORT void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si,
-                                                EVP_PKEY **pk,
-                                                X509_ALGOR **pdig,
-                                                X509_ALGOR **psig);
+OPENSSL_EXPORT OPENSSL_DEPRECATED void PKCS7_SIGNER_INFO_get0_algs(
+    PKCS7_SIGNER_INFO *si, EVP_PKEY **pk, X509_ALGOR **pdig, X509_ALGOR **psig);
 
-// PKCS7_type_is_data returns 1 if |p7| is of type data
-OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7);
-
-// PKCS7_type_is_digest returns 1 if |p7| is of type digest
-OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7);
-
-// PKCS7_type_is_encrypted returns 1 if |p7| is of type encrypted
-OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7);
-
-// PKCS7_type_is_enveloped returns 1 if |p7| is of type enveloped
-OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7);
-
-// PKCS7_type_is_signed returns 1 if |p7| is of type signed
-OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7);
-
-// PKCS7_type_is_signedAndEnveloped returns 1 if |p7| is of type
-// signedAndEnveloped
-OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7);
 
 // Deprecated flags
 //