To clarify one point, if you create a private API to allow tests of private functions, I consider that to be white-box testing. Those are tests that cover internal aspects of behaviour that nobody else should rely on, which might change in future versions.
I would consider this black-box testing of the private API. The API you expose to the world and the API you expose to your code are rarely going to be identical. Of course, you should test the complete API, not just the API you expose to the world. If the rest of the world considers this white-box, then, in my public API, I'll consider this white-box as well. What it maps to in my personal implementation of this spec is irrelevant. :-)
My criteria for good software:
- Does it work?
- Can someone else come in, make a change, and be reasonably certain no bugs were introduced?