delete more things + change how we remove extensions

phbnf · phbnf · commit 10cfd1d4419e · 2025-09-12T17:28:24.000Z
diff --git a/internal/ct/chain_validation.go b/internal/ct/chain_validation.go
@@ -336,15 +336,15 @@ func chainsEquivalent(inChain []*x509.Certificate, verifiedChain []*x509.Certifi
 }
 
 // removeExtension removes a given extension from a list.
-func removeExtension(oid asn1.ObjectIdentifier, extensions []pkix.Extension) {
+func removeExtension(extensions []pkix.Extension, oid asn1.ObjectIdentifier) []pkix.Extension {
 	i := 0
 	for _, e := range extensions {
 		if !e.Id.Equal(oid) {
 			extensions[i] = e
 			i++
 		}
 	}
-	extensions = extensions[:i]
+	return extensions[:i]
 }
 
 // relaxCert modifies parsed certificates fields to relax verification constraints.
@@ -354,7 +354,7 @@ func relaxCert(cert *x509.Certificate) {
 	cert.UnknownExtKeyUsage = nil
 
 	// Name constraints
-	removeExtension(oidExtensionNameConstraints, cert.Extensions)
+	cert.Extensions = removeExtension(cert.Extensions, oidExtensionNameConstraints)
 	cert.PermittedDNSDomainsCritical = false
 	cert.PermittedDNSDomains = nil
 	cert.ExcludedDNSDomains = nil
@@ -372,7 +372,7 @@ func relaxCert(cert *x509.Certificate) {
 	cert.MaxPathLenZero = false
 
 	// Policies
-	removeExtension(oidExtensionCertificatePolicies, cert.Extensions)
+	cert.Extensions = removeExtension(cert.Extensions, oidExtensionCertificatePolicies)
 	cert.Policies = []x509.OID{mustNewOIDFromInts(oidAnyPolicyExtension)}
 	cert.PolicyIdentifiers = nil
 	cert.PolicyMappings = nil
diff --git a/internal/lax509/cert_pool.go b/internal/lax509/cert_pool.go
@@ -5,7 +5,6 @@
 package lax509
 
 import (
-	"bytes"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
@@ -78,12 +77,6 @@ func (s *CertPool) len() int {
 	return len(s.lazyCerts)
 }
 
-// cert returns cert index n in s.
-func (s *CertPool) cert(n int) (*x509.Certificate, func([]*x509.Certificate) error, error) {
-	cert, err := s.lazyCerts[n].getCert()
-	return cert, s.lazyCerts[n].constraint, err
-}
-
 // Clone returns a copy of s.
 func (s *CertPool) Clone() *CertPool {
 	p := &CertPool{
@@ -104,60 +97,6 @@ func (s *CertPool) Clone() *CertPool {
 	return p
 }
 
-type potentialParent struct {
-	cert       *x509.Certificate
-	constraint func([]*x509.Certificate) error
-}
-
-// findPotentialParents returns the certificates in s which might have signed
-// cert.
-func (s *CertPool) findPotentialParents(cert *x509.Certificate) []potentialParent {
-	if s == nil {
-		return nil
-	}
-
-	// consider all candidates where cert.Issuer matches cert.Subject.
-	// when picking possible candidates the list is built in the order
-	// of match plausibility as to save cycles in buildChains:
-	//   AKID and SKID match
-	//   AKID present, SKID missing / AKID missing, SKID present
-	//   AKID and SKID don't match
-	var matchingKeyID, oneKeyID, mismatchKeyID []potentialParent
-	for _, c := range s.byName[string(cert.RawIssuer)] {
-		candidate, constraint, err := s.cert(c)
-		if err != nil {
-			continue
-		}
-		kidMatch := bytes.Equal(candidate.SubjectKeyId, cert.AuthorityKeyId)
-		switch {
-		case kidMatch:
-			matchingKeyID = append(matchingKeyID, potentialParent{candidate, constraint})
-		case (len(candidate.SubjectKeyId) == 0 && len(cert.AuthorityKeyId) > 0) ||
-			(len(candidate.SubjectKeyId) > 0 && len(cert.AuthorityKeyId) == 0):
-			oneKeyID = append(oneKeyID, potentialParent{candidate, constraint})
-		default:
-			mismatchKeyID = append(mismatchKeyID, potentialParent{candidate, constraint})
-		}
-	}
-
-	found := len(matchingKeyID) + len(oneKeyID) + len(mismatchKeyID)
-	if found == 0 {
-		return nil
-	}
-	candidates := make([]potentialParent, 0, found)
-	candidates = append(candidates, matchingKeyID...)
-	candidates = append(candidates, oneKeyID...)
-	candidates = append(candidates, mismatchKeyID...)
-	return candidates
-}
-
-func (s *CertPool) contains(cert *x509.Certificate) bool {
-	if s == nil {
-		return false
-	}
-	return s.haveSum[sha256.Sum224(cert.Raw)]
-}
-
 // AddCert adds a certificate to a pool.
 func (s *CertPool) AddCert(cert *x509.Certificate) {
 	if cert == nil {
diff --git a/internal/x509util/pem_cert_pool.go b/internal/x509util/pem_cert_pool.go
@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/transparency-dev/tesseract/internal/lax509"
 	"k8s.io/klog/v2"
 )
 
@@ -37,12 +36,12 @@ type PEMCertPool struct {
 	// maps from sha-256 to certificate, used for dup detection
 	fingerprintToCertMap map[[sha256.Size]byte]x509.Certificate
 	rawCerts             []*x509.Certificate
-	certPool             *lax509.CertPool
+	certPool             *x509.CertPool
 }
 
 // NewPEMCertPool creates a new, empty, instance of PEMCertPool.
 func NewPEMCertPool() *PEMCertPool {
-	return &PEMCertPool{fingerprintToCertMap: make(map[[sha256.Size]byte]x509.Certificate), certPool: lax509.NewCertPool()}
+	return &PEMCertPool{fingerprintToCertMap: make(map[[sha256.Size]byte]x509.Certificate), certPool: x509.NewCertPool()}
 }
 
 // AddCert adds a certificate to a pool. Uses fingerprint to weed out duplicates.
@@ -105,16 +104,6 @@ func (p *PEMCertPool) AppendCertsFromPEMFile(pemFile string) error {
 	return nil
 }
 
-// Subjects returns a list of the DER-encoded subjects of all of the certificates in the pool.
-func (p *PEMCertPool) Subjects() (res [][]byte) {
-	return p.certPool.Subjects()
-}
-
-// CertPool returns the underlying CertPool.
-func (p *PEMCertPool) CertPool() *lax509.CertPool {
-	return p.certPool
-}
-
 // RawCertificates returns a list of the raw bytes of certificates that are in this pool
 func (p *PEMCertPool) RawCertificates() []*x509.Certificate {
 	return p.rawCerts
diff --git a/internal/x509util/pem_cert_pool_test.go b/internal/x509util/pem_cert_pool_test.go
@@ -30,7 +30,7 @@ func TestLoadSingleCertFromPEMs(t *testing.T) {
 		if !ok {
 			t.Fatal("Expected to append a certificate ok")
 		}
-		if got, want := len(pool.Subjects()), 1; got != want {
+		if got, want := len(pool.RawCertificates()), 1; got != want {
 			t.Fatalf("Got %d cert(s) in the pool, expected %d", got, want)
 		}
 	}
@@ -44,7 +44,7 @@ func TestBadOrEmptyCertificateRejected(t *testing.T) {
 		if ok {
 			t.Fatal("Expected appending no certs")
 		}
-		if got, want := len(pool.Subjects()), 0; got != want {
+		if got, want := len(pool.RawCertificates()), 0; got != want {
 			t.Fatalf("Got %d cert(s) in pool, expected %d", got, want)
 		}
 	}
@@ -57,7 +57,7 @@ func TestLoadMultipleCertsFromPEM(t *testing.T) {
 	if !ok {
 		t.Fatal("Rejected valid multiple certs")
 	}
-	if got, want := len(pool.Subjects()), 2; got != want {
+	if got, want := len(pool.RawCertificates()), 2; got != want {
 		t.Fatalf("Got %d certs in pool, expected %d", got, want)
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ func TestLoadSingleCertFromPEMs(t *testing.T) {`
`30`	`30`	`if !ok {`
`31`	`31`	`t.Fatal("Expected to append a certificate ok")`
`32`	`32`	`}`
`33`		`- if got, want := len(pool.Subjects()), 1; got != want {`
	`33`	`+ if got, want := len(pool.RawCertificates()), 1; got != want {`
`34`	`34`	`t.Fatalf("Got %d cert(s) in the pool, expected %d", got, want)`
`35`	`35`	`}`
`36`	`36`	`}`
`@@ -44,7 +44,7 @@ func TestBadOrEmptyCertificateRejected(t *testing.T) {`
`44`	`44`	`if ok {`
`45`	`45`	`t.Fatal("Expected appending no certs")`
`46`	`46`	`}`
`47`		`- if got, want := len(pool.Subjects()), 0; got != want {`
	`47`	`+ if got, want := len(pool.RawCertificates()), 0; got != want {`
`48`	`48`	`t.Fatalf("Got %d cert(s) in pool, expected %d", got, want)`
`49`	`49`	`}`
`50`	`50`	`}`
`@@ -57,7 +57,7 @@ func TestLoadMultipleCertsFromPEM(t *testing.T) {`
`57`	`57`	`if !ok {`
`58`	`58`	`t.Fatal("Rejected valid multiple certs")`
`59`	`59`	`}`
`60`		`- if got, want := len(pool.Subjects()), 2; got != want {`
	`60`	`+ if got, want := len(pool.RawCertificates()), 2; got != want {`
`61`	`61`	`t.Fatalf("Got %d certs in pool, expected %d", got, want)`
`62`	`62`	`}`
`63`	`63`	`}`