feat: support the authorityAttributeIdentifier X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25244)

diff --git a/crypto/x509/build.info b/crypto/x509/build.info
index 8f3e0528468f8120d3e7526fa4f062337508d894..ea64c26061dff46fdcaaaddb969c88c23c1ec2c9 100644 (file)
--- a/crypto/x509/build.info
+++ b/crypto/x509/build.info
@@ -17,7 +17,7 @@ SOURCE[../../libcrypto]=\
         v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \
         v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
         x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \
-        v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c
+        v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c

diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h
index 9a52ba238af4f555269f5553fabcd0abbb77e305..1f08fe32029ac3e7757667e095c362c54a9d1e02 100644 (file)
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@@ -42,3 +42,4 @@ extern const X509V3_EXT_METHOD ossl_v3_user_notice;
 extern const X509V3_EXT_METHOD ossl_v3_battcons;
 extern const X509V3_EXT_METHOD ossl_v3_audit_identity;
 extern const X509V3_EXT_METHOD ossl_v3_issued_on_behalf_of;
+extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier;

diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h
index 4da6ebb8a547adf05f298f27a60dccad43f7f014..477f810010079ad0fbb6a4228d9a455d7ca6b8ad 100644 (file)
--- a/crypto/x509/standard_exts.h
+++ b/crypto/x509/standard_exts.h
@@ -76,6 +76,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_issuer_sign_tool,
     &ossl_v3_tls_feature,
     &ossl_v3_ext_admission,
+    &ossl_v3_authority_attribute_identifier,
     &ossl_v3_battcons,
     &ossl_v3_delegated_name_constraints,
     &ossl_v3_user_notice,

diff --git a/crypto/x509/v3_authattid.c b/crypto/x509/v3_authattid.c
new file mode 100644 (file)
index 0000000..65d9bb6
--- /dev/null
+++ b/crypto/x509/v3_authattid.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include <crypto/x509_acert.h>
+#include <openssl/x509_acert.h>
+#include "crypto/asn1.h"
+#include "ext_dat.h"
+
+DECLARE_ASN1_ITEM(OSSL_ISSUER_SERIAL)
+
+ASN1_ITEM_TEMPLATE(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX, OSSL_ISSUER_SERIAL)
+ASN1_ITEM_TEMPLATE_END(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+static int i2r_ISSUER_SERIAL(X509V3_EXT_METHOD *method,
+                             OSSL_ISSUER_SERIAL *iss,
+                             BIO *out, int indent)
+{
+    if (iss->issuer != NULL) {
+        BIO_printf(out, "%*sIssuer Names:\n", indent, "");
+        OSSL_GENERAL_NAMES_print(out, iss->issuer, indent);
+        BIO_puts(out, "\n");
+    } else {
+        BIO_printf(out, "%*sIssuer Names: <none>\n", indent, "");
+    }
+    BIO_printf(out, "%*sIssuer Serial: ", indent, "");
+    if (i2a_ASN1_INTEGER(out, &(iss->serial)) <= 0)
+        return 0;
+    BIO_puts(out, "\n");
+    if (iss->issuerUID != NULL) {
+        BIO_printf(out, "%*sIssuer UID: ", indent, "");
+        if (i2a_ASN1_STRING(out, iss->issuerUID, V_ASN1_BIT_STRING) <= 0)
+            return 0;
+        BIO_puts(out, "\n");
+    } else {
+        BIO_printf(out, "%*sIssuer UID: <none>\n", indent, "");
+    }
+    return 1;
+}
+
+static int i2r_auth_attr_id(X509V3_EXT_METHOD *method,
+                            OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX *aids,
+                            BIO *out, int indent)
+{
+    int i;
+    OSSL_ISSUER_SERIAL *aid;
+
+    for (i = 0; i < sk_OSSL_ISSUER_SERIAL_num(aids); i++) {
+        if (BIO_printf(out, "%*sIssuer-Serials:\n", indent, "") <= 0)
+            return 0;
+        aid = sk_OSSL_ISSUER_SERIAL_value(aids, i);
+        if (i2r_ISSUER_SERIAL(method, aid, out, indent + 4) <= 0)
+            return 0;
+        if (BIO_puts(out, "\n") <= 0)
+            return 0;
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier = {
+    NID_authority_attribute_identifier, X509V3_EXT_MULTILINE,
+    ASN1_ITEM_ref(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX),
+    0, 0, 0, 0,
+    0,
+    0,
+    0, 0,
+    (X509V3_EXT_I2R)i2r_auth_attr_id,
+    0,
+    NULL
+};

diff --git a/include/openssl/x509_acert.h.in b/include/openssl/x509_acert.h.in
index 76570d49549fae5609a1c75542beabbd2111b9c5..bf4395eec6aa58d5914f7a4ab0f98efc1385fea6 100644 (file)
--- a/include/openssl/x509_acert.h.in
+++ b/include/openssl/x509_acert.h.in
@@ -189,4 +189,11 @@ DECLARE_ASN1_FUNCTIONS(OSSL_TARGET)
 DECLARE_ASN1_FUNCTIONS(OSSL_TARGETS)
 DECLARE_ASN1_FUNCTIONS(OSSL_TARGETING_INFORMATION)
 
+typedef STACK_OF(OSSL_ISSUER_SERIAL) OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX;
+DECLARE_ASN1_FUNCTIONS(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+{-
+    generate_stack_macros("OSSL_ISSUER_SERIAL");
+-}
+
 #endif

diff --git a/util/libcrypto.num b/util/libcrypto.num
index b231ca40bd4b063338b29b58a934e3083670fcfc..39b1068006cb6476a3acf2ddaa97aebf455ddd93 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5734,3 +5734,8 @@ EVP_CIPHER_CTX_get_algor                5861      3_4_0   EXIST::FUNCTION:
 EVP_PKEY_CTX_set_algor_params           5862   3_4_0   EXIST::FUNCTION:
 EVP_PKEY_CTX_get_algor_params           5863   3_4_0   EXIST::FUNCTION:
 EVP_PKEY_CTX_get_algor                  5864   3_4_0   EXIST::FUNCTION:
+d2i_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX  ?      3_5_0   EXIST::FUNCTION:
+i2d_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX  ?      3_5_0   EXIST::FUNCTION:
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_free ?      3_5_0   EXIST::FUNCTION:
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_new  ?      3_5_0   EXIST::FUNCTION:
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_it   ?      3_5_0   EXIST::FUNCTION: