Provide X509_CRL_get0_tbs_sigalg()

X509_CRL_get0_tbs_sigalg() corresponds to X509_get0_tbs_sigalg() and
retrieves the AlgorithmIdentifier inside the TBSCertList which is not
currently accessible in any sane way from public API.

This PR adds X509_get0_tbs_sigalg() to the public API, documents it,
adds a simple regress check so there is coverage and mentions the
addition in CHANGES.md.

On top of that, fix a typo in .gitignore and clean up some order
inconsistencies in X509_get0_signature.pod.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27971)

diff --git a/.gitignore b/.gitignore
index 740914f135b42fa2e49c152d1d8d3946291afe85..7ab32ad61d32cdf2c5f7b7dae32228d70a6e5548 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -93,7 +93,7 @@ providers/implementations/ciphers/ciphercommon.c
 providers/implementations/ciphers/ciphercommon_ccm.c
 providers/implementations/ciphers/ciphercommon_gcm.c
 providers/implementations/ciphers/cipher_chacha20_poly1305.c
-providers/implementations/digest/digestcommon.c
+providers/implementations/digests/digestcommon.c
 
 # error code files
 /crypto/err/openssl.txt.old

diff --git a/CHANGES.md b/CHANGES.md
index a3b252df5319340a925b7565ca1f3ae1b2907565..67f83c5528cbeb53aa6fa9dd4b97cc955f696c1e 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -117,6 +117,11 @@ OpenSSL 3.6
 
    *Dimitri John Ledkov*
 
+ * Add X509_CRL_get0_tbs_sigalg() accessor for the signature AlgorithmIdentifier
+   inside a CRL's TBSCertList.
+
+   *Theo Buehler*
+
  * HKDF with (SHA-256, SHA-384, SHA-512) has assigned OIDs. Added ability to load
    HKDF configured with these explicit digests by name or OID.
 

diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index e5dd4d5c3a3dd0cd1872f995bfc67cd2251c8494..f01d11e172c670de57dc63207162972c1dc80cea 100644 (file)
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -125,6 +125,11 @@ STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl)
     return crl->crl.revoked;
 }
 
+const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_CRL *crl)
+{
+    return &crl->crl.sig_alg;
+}
+
 void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
                              const X509_ALGOR **palg)
 {

diff --git a/doc/man3/X509_get0_signature.pod b/doc/man3/X509_get0_signature.pod
index 18d9be6c45af2be7e8a7a2582b4d494d98b6c462..3a8028a2653075d89c7147af1c7f5f1cd566a935 100644 (file)
--- a/doc/man3/X509_get0_signature.pod
+++ b/doc/man3/X509_get0_signature.pod
@@ -5,9 +5,10 @@
 X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo,
 X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature,
 X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid,
+X509_CRL_get0_tbs_sigalg, X509_get_signature_info,
+X509_SIG_INFO_get, X509_SIG_INFO_set,
 X509_ACERT_get0_signature, X509_ACERT_get0_info_sigalg,
-X509_ACERT_get_signature_nid, X509_get_signature_info,
-X509_SIG_INFO_get, X509_SIG_INFO_set - signature information
+X509_ACERT_get_signature_nid - signature information
 
 =head1 SYNOPSIS
 
@@ -32,6 +33,7 @@ X509_SIG_INFO_get, X509_SIG_INFO_set - signature information
                               const ASN1_BIT_STRING **psig,
                               const X509_ALGOR **palg);
  int X509_CRL_get_signature_nid(const X509_CRL *crl);
+ const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_crl *crl);
 
  int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits,
                              uint32_t *flags);
@@ -56,8 +58,8 @@ pointers which B<MUST NOT> be freed up after the call.
 X509_set0_signature() and X509_REQ_set1_signature_algo() are the
 equivalent setters for the two values of X509_get0_signature().
 
-X509_get0_tbs_sigalg() returns the signature algorithm in the signed
-portion of B<x>.
+X509_get0_tbs_sigalg() and X509_CRL_get0_tbs_sigalg() return the signature
+algorithm in the signed portion of the certificate or CRL.
 
 X509_get_signature_nid() returns the NID corresponding to the signature
 algorithm of B<x>.
@@ -66,10 +68,6 @@ X509_REQ_get0_signature(), X509_REQ_get_signature_nid()
 X509_CRL_get0_signature() and X509_CRL_get_signature_nid() perform the
 same function for certificate requests and CRLs.
 
-X509_ACERT_get0_signature(), X509_ACERT_get_signature_nid() and
-X509_ACERT_get0_info_sigalg() perform the same function for attribute
-certificates.
-
 X509_get_signature_info() retrieves information about the signature of
 certificate B<x>. The NID of the signing digest is written to B<*mdnid>,
 the public key algorithm to B<*pknid>, the effective security bits to
@@ -82,6 +80,10 @@ used by implementations of algorithms which need to set custom
 signature information: most applications will never need to call
 them.
 
+X509_ACERT_get0_signature(), X509_ACERT_get_signature_nid() and
+X509_ACERT_get0_info_sigalg() perform the same function for attribute
+certificates.
+
 =head1 NOTES
 
 These functions provide lower level access to signatures in certificates
@@ -147,6 +149,8 @@ were added in OpenSSL 1.1.1e.
 The X509_ACERT_get0_signature(), X509_ACERT_get0_info_sigalg() and
 X509_ACERT_get_signature_nid() functions were added in OpenSSL 3.4.
 
+The X509_CRL_get0_tbs_sigalg() function was added in OpenSSL 3.6.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 809b9c645d43a18e3dda30788b591611edfa97e1..7930762e5ccddf1aed2f113a6e54b64ed58ea364 100644 (file)
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -761,6 +761,7 @@ OSSL_DEPRECATEDIN_1_1_0 ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
 X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
 STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
+const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_CRL *crl);
 void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
                              const X509_ALGOR **palg);
 int X509_CRL_get_signature_nid(const X509_CRL *crl);

diff --git a/test/crltest.c b/test/crltest.c
index c4e30d14fca90ffb48137dd0adf1f63f56cbbea5..a7382f87a434219a719e4e3b115b50c34848655d 100644 (file)
--- a/test/crltest.c
+++ b/test/crltest.c
@@ -335,6 +335,7 @@ static int test_basic_crl(void)
 {
     X509_CRL *basic_crl = CRL_from_strings(kBasicCRL);
     X509_CRL *revoked_crl = CRL_from_strings(kRevokedCRL);
+    const X509_ALGOR *alg = NULL, *tbsalg;
     int r;
 
     r = TEST_ptr(basic_crl)
@@ -345,6 +346,14 @@ static int test_basic_crl(void)
         && TEST_int_eq(verify(test_leaf, test_root,
                               make_CRL_stack(basic_crl, revoked_crl),
                               X509_V_FLAG_CRL_CHECK), X509_V_ERR_CERT_REVOKED);
+    if (r) {
+        X509_CRL_get0_signature(basic_crl, NULL, &alg);
+        tbsalg = X509_CRL_get0_tbs_sigalg(basic_crl);
+        r = TEST_ptr(alg)
+            && TEST_ptr(tbsalg)
+            && TEST_int_eq(X509_ALGOR_cmp(alg, tbsalg), 0);
+    }
+
     X509_CRL_free(basic_crl);
     X509_CRL_free(revoked_crl);
     return r;

diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8079cdbd853464155d0791ba9af7a38b88cb7487..96e646f3dc11c4658b9b4e533129959c28fa1608 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5929,3 +5929,4 @@ OPENSSL_sk_set_thunks                   ? 3_6_0   EXIST::FUNCTION:
 i2d_PKCS8PrivateKey                     ?      3_6_0   EXIST::FUNCTION:
 OSSL_PARAM_set_octet_string_or_ptr      ?      3_6_0   EXIST::FUNCTION:
 OSSL_STORE_LOADER_settable_ctx_params   ?      3_6_0   EXIST::FUNCTION:
+X509_CRL_get0_tbs_sigalg                ?      3_6_0   EXIST::FUNCTION: