Move all signature algorithm code to crypto/x509.

All the signature algorithm logic depends on X509_ALGOR. This also
removes the X509_ALGOR-based EVP functions which are no longer used
externally. I think those APIs were a mistake on my part. The use in
Chromium was unnecessary (and has since been removed anyway). The new
X.509 stack will want to process the signatureAlgorithm itself to be
able to enforce policies on it.

This also moves the RSA_PSS_PARAMS bits to crypto/x509 from crypto/rsa.
That struct is also tied to crypto/x509. Any new RSA-PSS code would
have to use something else anyway.

BUG=499653

Change-Id: I6c4b4573b2800a2e0f863d35df94d048864b7c41
Reviewed-on: https://boringssl-review.googlesource.com/7025
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 16 insertions, 0 deletions

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index a5aaf31b..3b21c143 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1153,6 +1153,17 @@ OPENSSL_EXPORT int X509_TRUST_get_flags(X509_TRUST *xp);
 OPENSSL_EXPORT char *X509_TRUST_get0_name(X509_TRUST *xp);
 OPENSSL_EXPORT int X509_TRUST_get_trust(X509_TRUST *xp);
 
+
+typedef struct rsa_pss_params_st {
+  X509_ALGOR *hashAlgorithm;
+  X509_ALGOR *maskGenAlgorithm;
+  ASN1_INTEGER *saltLength;
+  ASN1_INTEGER *trailerField;
+} RSA_PSS_PARAMS;
+
+DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
+
+
 /* PKCS7_get_certificates parses a PKCS#7, SignedData structure from |cbs| and
  * appends the included certificates to |out_certs|. It returns one on success
  * and zero on error. */
@@ -1252,5 +1263,10 @@ OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
 #define X509_R_WRONG_LOOKUP_TYPE 134
 #define X509_R_WRONG_TYPE 135
 #define X509_R_NO_CRLS_INCLUDED 136
+#define X509_R_CONTEXT_NOT_INITIALISED 137
+#define X509_R_INVALID_PSS_PARAMETERS 138
+#define X509_R_INVALID_SALT_LENGTH 139
+#define X509_R_INVALID_TRAILER 140
+#define X509_R_WRONG_PUBLIC_KEY_TYPE 141
 
 #endif