Roll boringssl to latest commit

Boringssl now has built-in bazel support, so we no longer have to use a commit
from main-with-bazel instead of the primary branch. A few code changes are
needed based on the RSA struct now being opaque, which is why we deferred
updating this so far.

WORKSPACE

@@ -52,13 +52,22 @@ http_archive(
     urls = ["https://github.com/capnproto/capnproto/tarball/6446b721a9860eebccf9d3c73b27610491359b5a"],
 )
 
+# Needed for boringssl
+http_archive(
+    name = "rules_license",
+    sha256 = "26d4021f6898e23b82ef953078389dd49ac2b5618ac564ade4ef87cced147b38",
+    urls = [
+        "https://mirror.bazel.build/github.com/bazelbuild/rules_license/releases/download/1.0.0/rules_license-1.0.0.tar.gz",
+        "https://github.com/bazelbuild/rules_license/releases/download/1.0.0/rules_license-1.0.0.tar.gz",
+    ],
+)
+
 http_archive(
     name = "ssl",
-    sha256 = "57261442e663ad0a0dc5c4eae59322440bfce61f1edc4fe4338179a6abc14034",
-    strip_prefix = "google-boringssl-8ae84b5",
+    integrity = "sha256-KaF+56JPXq5K6Wp9fOvg5QZJHeyfisyJOi+bkEpZy+0=",
+    strip_prefix = "google-boringssl-59c222f",
     type = "tgz",
-    # from master-with-bazel branch
-    urls = ["https://github.com/google/boringssl/tarball/8ae84b558b3d3af50a323c7e3800998764e77375"],
+    urls = ["https://github.com/google/boringssl/tarball/59c222fcf123ec2026da450a0a8676436751a351"],
 )
 
 http_archive(

src/workerd/api/crypto/impl.h

@@ -428,4 +428,5 @@ KJ_DECLARE_NON_POLYMORPHIC(EC_GROUP);
 KJ_DECLARE_NON_POLYMORPHIC(BN_CTX);
 KJ_DECLARE_NON_POLYMORPHIC(EVP_PKEY);
 KJ_DECLARE_NON_POLYMORPHIC(EVP_PKEY_CTX);
+KJ_DECLARE_NON_POLYMORPHIC(RSA);
 // Tell KJ that these OpenSSL types are non-polymorphic so that they can be wrapped in kj::Own.

src/workerd/api/crypto/rsa.c++

@@ -240,11 +240,16 @@ SubtleCrypto::JsonWebKey Rsa::toJwk(
 
   if (keyType == KeyType::PRIVATE) {
     jwk.d = kj::encodeBase64Url(KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(d))));
-    jwk.p = kj::encodeBase64Url(KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(rsa->p))));
-    jwk.q = kj::encodeBase64Url(KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(rsa->q))));
-    jwk.dp = kj::encodeBase64Url(KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(rsa->dmp1))));
-    jwk.dq = kj::encodeBase64Url(KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(rsa->dmq1))));
-    jwk.qi = kj::encodeBase64Url(KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(rsa->iqmp))));
+    jwk.p =
+        kj::encodeBase64Url(KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(RSA_get0_p(rsa)))));
+    jwk.q =
+        kj::encodeBase64Url(KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(RSA_get0_q(rsa)))));
+    jwk.dp = kj::encodeBase64Url(
+        KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(RSA_get0_dmp1(rsa)))));
+    jwk.dq = kj::encodeBase64Url(
+        KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(RSA_get0_dmq1(rsa)))));
+    jwk.qi = kj::encodeBase64Url(
+        KJ_REQUIRE_NONNULL(bignumToArray(KJ_REQUIRE_NONNULL(RSA_get0_iqmp(rsa)))));
   }
 
   return jwk;

src/workerd/api/crypto/x509.c++

@@ -783,9 +783,9 @@ jsg::JsObject X509Certificate::toLegacyObject(jsg::Lock& js) {
       case EVP_PKEY_RSA: {
         RSA* rsa = EVP_PKEY_get0_RSA(key.get());
         KJ_ASSERT(rsa != nullptr);
-        obj.set(js, "modulus", js.str(getModulusString(bio.get(), rsa->n)));
-        obj.set(js, "bits", js.num(BN_num_bits(rsa->n)));
-        obj.set(js, "exponent", js.str(getExponentString(bio.get(), rsa->e)));
+        obj.set(js, "modulus", js.str(getModulusString(bio.get(), RSA_get0_n(rsa))));
+        obj.set(js, "bits", js.num(RSA_bits(rsa)));
+        obj.set(js, "exponent", js.str(getExponentString(bio.get(), RSA_get0_e(rsa))));
         obj.set(js, "pubkey", jsg::JsValue(js.bytes(getRsaPubKey(rsa)).getHandle(js)));
         break;
       }