From: Theo Buehler Date: Sun, 6 Jul 2025 11:55:52 +0000 (+0200) Subject: Provide X509_CRL_get0_tbs_sigalg() X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21f1b677d54ef50fe4e262e032372dfaff88fbf4;p=thirdparty%2Fopenssl.git Provide X509_CRL_get0_tbs_sigalg() X509_CRL_get0_tbs_sigalg() corresponds to X509_get0_tbs_sigalg() and retrieves the AlgorithmIdentifier inside the TBSCertList which is not currently accessible in any sane way from public API. This PR adds X509_get0_tbs_sigalg() to the public API, documents it, adds a simple regress check so there is coverage and mentions the addition in CHANGES.md. On top of that, fix a typo in .gitignore and clean up some order inconsistencies in X509_get0_signature.pod. Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27971) --- diff --git a/.gitignore b/.gitignore index 740914f135b..7ab32ad61d3 100644 --- a/.gitignore +++ b/.gitignore @@ -93,7 +93,7 @@ providers/implementations/ciphers/ciphercommon.c providers/implementations/ciphers/ciphercommon_ccm.c providers/implementations/ciphers/ciphercommon_gcm.c providers/implementations/ciphers/cipher_chacha20_poly1305.c -providers/implementations/digest/digestcommon.c +providers/implementations/digests/digestcommon.c # error code files /crypto/err/openssl.txt.old diff --git a/CHANGES.md b/CHANGES.md index a3b252df531..67f83c5528c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -117,6 +117,11 @@ OpenSSL 3.6 *Dimitri John Ledkov* + * Add X509_CRL_get0_tbs_sigalg() accessor for the signature AlgorithmIdentifier + inside a CRL's TBSCertList. + + *Theo Buehler* + * HKDF with (SHA-256, SHA-384, SHA-512) has assigned OIDs. Added ability to load HKDF configured with these explicit digests by name or OID. diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index e5dd4d5c3a3..f01d11e172c 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -125,6 +125,11 @@ STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl) return crl->crl.revoked; } +const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_CRL *crl) +{ + return &crl->crl.sig_alg; +} + void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg) { diff --git a/doc/man3/X509_get0_signature.pod b/doc/man3/X509_get0_signature.pod index 18d9be6c45a..3a8028a2653 100644 --- a/doc/man3/X509_get0_signature.pod +++ b/doc/man3/X509_get0_signature.pod @@ -5,9 +5,10 @@ X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo, X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, +X509_CRL_get0_tbs_sigalg, X509_get_signature_info, +X509_SIG_INFO_get, X509_SIG_INFO_set, X509_ACERT_get0_signature, X509_ACERT_get0_info_sigalg, -X509_ACERT_get_signature_nid, X509_get_signature_info, -X509_SIG_INFO_get, X509_SIG_INFO_set - signature information +X509_ACERT_get_signature_nid - signature information =head1 SYNOPSIS @@ -32,6 +33,7 @@ X509_SIG_INFO_get, X509_SIG_INFO_set - signature information const ASN1_BIT_STRING **psig, const X509_ALGOR **palg); int X509_CRL_get_signature_nid(const X509_CRL *crl); + const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_crl *crl); int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits, uint32_t *flags); @@ -56,8 +58,8 @@ pointers which B be freed up after the call. X509_set0_signature() and X509_REQ_set1_signature_algo() are the equivalent setters for the two values of X509_get0_signature(). -X509_get0_tbs_sigalg() returns the signature algorithm in the signed -portion of B. +X509_get0_tbs_sigalg() and X509_CRL_get0_tbs_sigalg() return the signature +algorithm in the signed portion of the certificate or CRL. X509_get_signature_nid() returns the NID corresponding to the signature algorithm of B. @@ -66,10 +68,6 @@ X509_REQ_get0_signature(), X509_REQ_get_signature_nid() X509_CRL_get0_signature() and X509_CRL_get_signature_nid() perform the same function for certificate requests and CRLs. -X509_ACERT_get0_signature(), X509_ACERT_get_signature_nid() and -X509_ACERT_get0_info_sigalg() perform the same function for attribute -certificates. - X509_get_signature_info() retrieves information about the signature of certificate B. The NID of the signing digest is written to B<*mdnid>, the public key algorithm to B<*pknid>, the effective security bits to @@ -82,6 +80,10 @@ used by implementations of algorithms which need to set custom signature information: most applications will never need to call them. +X509_ACERT_get0_signature(), X509_ACERT_get_signature_nid() and +X509_ACERT_get0_info_sigalg() perform the same function for attribute +certificates. + =head1 NOTES These functions provide lower level access to signatures in certificates @@ -147,6 +149,8 @@ were added in OpenSSL 1.1.1e. The X509_ACERT_get0_signature(), X509_ACERT_get0_info_sigalg() and X509_ACERT_get_signature_nid() functions were added in OpenSSL 3.4. +The X509_CRL_get0_tbs_sigalg() function was added in OpenSSL 3.6. + =head1 COPYRIGHT Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 809b9c645d4..7930762e5cc 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -761,6 +761,7 @@ OSSL_DEPRECATEDIN_1_1_0 ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); +const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_CRL *crl); void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg); int X509_CRL_get_signature_nid(const X509_CRL *crl); diff --git a/test/crltest.c b/test/crltest.c index c4e30d14fca..a7382f87a43 100644 --- a/test/crltest.c +++ b/test/crltest.c @@ -335,6 +335,7 @@ static int test_basic_crl(void) { X509_CRL *basic_crl = CRL_from_strings(kBasicCRL); X509_CRL *revoked_crl = CRL_from_strings(kRevokedCRL); + const X509_ALGOR *alg = NULL, *tbsalg; int r; r = TEST_ptr(basic_crl) @@ -345,6 +346,14 @@ static int test_basic_crl(void) && TEST_int_eq(verify(test_leaf, test_root, make_CRL_stack(basic_crl, revoked_crl), X509_V_FLAG_CRL_CHECK), X509_V_ERR_CERT_REVOKED); + if (r) { + X509_CRL_get0_signature(basic_crl, NULL, &alg); + tbsalg = X509_CRL_get0_tbs_sigalg(basic_crl); + r = TEST_ptr(alg) + && TEST_ptr(tbsalg) + && TEST_int_eq(X509_ALGOR_cmp(alg, tbsalg), 0); + } + X509_CRL_free(basic_crl); X509_CRL_free(revoked_crl); return r; diff --git a/util/libcrypto.num b/util/libcrypto.num index 8079cdbd853..96e646f3dc1 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5929,3 +5929,4 @@ OPENSSL_sk_set_thunks ? 3_6_0 EXIST::FUNCTION: i2d_PKCS8PrivateKey ? 3_6_0 EXIST::FUNCTION: OSSL_PARAM_set_octet_string_or_ptr ? 3_6_0 EXIST::FUNCTION: OSSL_STORE_LOADER_settable_ctx_params ? 3_6_0 EXIST::FUNCTION: +X509_CRL_get0_tbs_sigalg ? 3_6_0 EXIST::FUNCTION: