feat: support the roleSpecCertIdentifier X.509v3 extension

author Jonathan M. Wilbur <jonathan@wilbur.space>

Wed, 11 Sep 2024 00:44:35 +0000 (00:44 +0000)

committer Tomas Mraz <tomas@openssl.org>

Mon, 16 Sep 2024 20:56:02 +0000 (22:56 +0200)
author Jonathan M. Wilbur <jonathan@wilbur.space>
Wed, 11 Sep 2024 00:44:35 +0000 (00:44 +0000)
committer Tomas Mraz <tomas@openssl.org>
Mon, 16 Sep 2024 20:56:02 +0000 (22:56 +0200)
diff --git a/crypto/x509/build.info b/crypto/x509/build.info

index ea64c26061dff46fdcaaaddb969c88c23c1ec2c9..9d15c481fd9a565dd60517f30e9e06a504318436 100644 (file)
--- a/crypto/x509/build.info
+++ b/crypto/x509/build.info
@@ -17,7 +17,8 @@ SOURCE[../../libcrypto]=\
          v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \
          v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
          x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \
-        v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c
+        v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c \
+        v3_rolespec.c
  
  IF[{- !$disabled{'deprecated-3.0'} -}]
    SOURCE[../../libcrypto]=x509type.c
diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h

index 1f08fe32029ac3e7757667e095c362c54a9d1e02..b670e3843ad622e03037163b3ea124dc418f6290 100644 (file)
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@@ -43,3 +43,4 @@ extern const X509V3_EXT_METHOD ossl_v3_battcons;
  extern const X509V3_EXT_METHOD ossl_v3_audit_identity;
  extern const X509V3_EXT_METHOD ossl_v3_issued_on_behalf_of;
  extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier;
+extern const X509V3_EXT_METHOD ossl_v3_role_spec_cert_identifier;
diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h

index 477f810010079ad0fbb6a4228d9a455d7ca6b8ad..19e5eab161aceb8464e3ada78fa19d56e1d39629 100644 (file)
--- a/crypto/x509/standard_exts.h
+++ b/crypto/x509/standard_exts.h
@@ -77,6 +77,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
      &ossl_v3_tls_feature,
      &ossl_v3_ext_admission,
      &ossl_v3_authority_attribute_identifier,
+    &ossl_v3_role_spec_cert_identifier,
      &ossl_v3_battcons,
      &ossl_v3_delegated_name_constraints,
      &ossl_v3_user_notice,
diff --git a/crypto/x509/v3_rolespec.c b/crypto/x509/v3_rolespec.c

new file mode 100644 (file)

index 0000000..c371e14
--- /dev/null
+++ b/crypto/x509/v3_rolespec.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include <crypto/x509.h>
+#include "ext_dat.h"
+
+ASN1_SEQUENCE(OSSL_ROLE_SPEC_CERT_ID) = {
+    ASN1_EXP(OSSL_ROLE_SPEC_CERT_ID, roleName, GENERAL_NAME, 0),
+    ASN1_EXP(OSSL_ROLE_SPEC_CERT_ID, roleCertIssuer, GENERAL_NAME, 1),
+    ASN1_IMP_OPT(OSSL_ROLE_SPEC_CERT_ID, roleCertSerialNumber, ASN1_INTEGER, 2),
+    ASN1_IMP_SEQUENCE_OF_OPT(OSSL_ROLE_SPEC_CERT_ID, roleCertLocator, GENERAL_NAME, 3),
+} ASN1_SEQUENCE_END(OSSL_ROLE_SPEC_CERT_ID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID)
+
+ASN1_ITEM_TEMPLATE(OSSL_ROLE_SPEC_CERT_ID_SYNTAX) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF,
+                          0, OSSL_ROLE_SPEC_CERT_ID_SYNTAX, OSSL_ROLE_SPEC_CERT_ID)
+ASN1_ITEM_TEMPLATE_END(OSSL_ROLE_SPEC_CERT_ID_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID_SYNTAX)
+
+static int i2r_OSSL_ROLE_SPEC_CERT_ID(X509V3_EXT_METHOD *method,
+                                      OSSL_ROLE_SPEC_CERT_ID *rscid,
+                                      BIO *out, int indent)
+{
+    if (BIO_printf(out, "%*sRole Name: ", indent, "") <= 0)
+        return 0;
+    if (GENERAL_NAME_print(out, rscid->roleName) <= 0)
+        return 0;
+    if (BIO_puts(out, "\n") <= 0)
+        return 0;
+    if (BIO_printf(out, "%*sRole Certificate Issuer: ", indent, "") <= 0)
+        return 0;
+    if (GENERAL_NAME_print(out, rscid->roleCertIssuer) <= 0)
+        return 0;
+    if (rscid->roleCertSerialNumber != NULL) {
+        if (BIO_puts(out, "\n") <= 0)
+            return 0;
+        if (BIO_printf(out, "%*sRole Certificate Serial Number: ", indent, "") <= 0)
+            return 0;
+        if (ossl_serial_number_print(out, rscid->roleCertSerialNumber, indent) != 0)
+            return 0;
+    }
+    if (rscid->roleCertLocator != NULL) {
+        if (BIO_puts(out, "\n") <= 0)
+            return 0;
+        if (BIO_printf(out, "%*sRole Certificate Locator:\n", indent, "") <= 0)
+            return 0;
+        if (OSSL_GENERAL_NAMES_print(out, rscid->roleCertLocator, indent) <= 0)
+            return 0;
+    }
+    return BIO_puts(out, "\n");
+}
+
+static int i2r_OSSL_ROLE_SPEC_CERT_ID_SYNTAX(X509V3_EXT_METHOD *method,
+                                             OSSL_ROLE_SPEC_CERT_ID_SYNTAX *rscids,
+                                             BIO *out, int indent)
+{
+    OSSL_ROLE_SPEC_CERT_ID *rscid;
+    int i;
+
+    for (i = 0; i < sk_OSSL_ROLE_SPEC_CERT_ID_num(rscids); i++) {
+        if (i > 0 && BIO_puts(out, "\n") <= 0)
+            return 0;
+        if (BIO_printf(out,
+                       "%*sRole Specification Certificate Identifier #%d:\n",
+                       indent, "", i + 1) <= 0)
+            return 0;
+        rscid = sk_OSSL_ROLE_SPEC_CERT_ID_value(rscids, i);
+        if (i2r_OSSL_ROLE_SPEC_CERT_ID(method, rscid, out, indent + 4) != 1)
+            return 0;
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD ossl_v3_role_spec_cert_identifier = {
+    NID_role_spec_cert_identifier, X509V3_EXT_MULTILINE,
+    ASN1_ITEM_ref(OSSL_ROLE_SPEC_CERT_ID_SYNTAX),
+    0, 0, 0, 0,
+    0, 0,
+    0,
+    0,
+    (X509V3_EXT_I2R)i2r_OSSL_ROLE_SPEC_CERT_ID_SYNTAX,
+    NULL,
+    NULL
+};
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in

index 0f37e1348dc60af6e3d2833cd7096fdeadcba573..5e0605fe9c3c63d3958909915f83a156b4216ca1 100644 (file)
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -1037,6 +1037,22 @@ DECLARE_ASN1_FUNCTIONS(OSSL_USER_NOTICE_SYNTAX)
      generate_stack_macros("USERNOTICE");
  -}
  
+typedef struct OSSL_ROLE_SPEC_CERT_ID_st {
+    GENERAL_NAME *roleName;
+    GENERAL_NAME *roleCertIssuer;
+    ASN1_INTEGER *roleCertSerialNumber;
+    GENERAL_NAMES *roleCertLocator;
+} OSSL_ROLE_SPEC_CERT_ID;
+
+DECLARE_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID)
+{-
+    generate_stack_macros("OSSL_ROLE_SPEC_CERT_ID");
+-}
+
+typedef STACK_OF(OSSL_ROLE_SPEC_CERT_ID) OSSL_ROLE_SPEC_CERT_ID_SYNTAX;
+
+DECLARE_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID_SYNTAX)
+
  # ifdef  __cplusplus
  }
  # endif
author	Jonathan M. Wilbur <jonathan@wilbur.space>
	Wed, 11 Sep 2024 00:44:35 +0000 (00:44 +0000)
committer	Tomas Mraz <tomas@openssl.org>
	Mon, 16 Sep 2024 20:56:02 +0000 (22:56 +0200)
crypto/x509/build.info		patch \| blob \| blame \| history
crypto/x509/ext_dat.h		patch \| blob \| blame \| history
crypto/x509/standard_exts.h		patch \| blob \| blame \| history
crypto/x509/v3_rolespec.c	[new file with mode: 0644]	patch \| blob
include/openssl/x509v3.h.in		patch \| blob \| blame \| history