From: Jonathan M. Wilbur <jonathan@wilbur.space>
Date: Wed, 10 Jul 2024 22:31:06 +0000 (+0000)
Subject: feat: support the basicAttConstraints X.509v3 extension
X-Git-Tag: openssl-3.4.0-alpha1~291
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f5db0c9a9360dc62155bbe42b97d02040738d8b;p=thirdparty%2Fopenssl.git

feat: support the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24847)
---

diff --git a/crypto/x509/build.info b/crypto/x509/build.info
index 0404d7c94fa..89907be7ea6 100644
--- a/crypto/x509/build.info
+++ b/crypto/x509/build.info
@@ -17,7 +17,7 @@ SOURCE[../../libcrypto]=\
         v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \
         v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
         x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \
-        v3_usernotice.c
+        v3_usernotice.c v3_battcons.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c
diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h
index 43a29448249..0de6f7c4a33 100644
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@@ -39,3 +39,4 @@ extern const X509V3_EXT_METHOD ossl_v3_associated_info;
 extern const X509V3_EXT_METHOD ossl_v3_acc_cert_policies;
 extern const X509V3_EXT_METHOD ossl_v3_acc_priv_policies;
 extern const X509V3_EXT_METHOD ossl_v3_user_notice;
+extern const X509V3_EXT_METHOD ossl_v3_battcons;
diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h
index 9e2ca47bad9..780ceaa4842 100644
--- a/crypto/x509/standard_exts.h
+++ b/crypto/x509/standard_exts.h
@@ -75,6 +75,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_issuer_sign_tool,
     &ossl_v3_tls_feature,
     &ossl_v3_ext_admission,
+    &ossl_v3_battcons,
     &ossl_v3_delegated_name_constraints,
     &ossl_v3_user_notice,
     &ossl_v3_soa_identifier,
diff --git a/crypto/x509/v3_battcons.c b/crypto/x509/v3_battcons.c
new file mode 100644
index 00000000000..93fdde858ec
--- /dev/null
+++ b/crypto/x509/v3_battcons.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+#include "x509_local.h"
+
+static STACK_OF(CONF_VALUE) *i2v_OSSL_BASIC_ATTR_CONSTRAINTS(
+    X509V3_EXT_METHOD *method,
+    OSSL_BASIC_ATTR_CONSTRAINTS *battcons,
+    STACK_OF(CONF_VALUE)
+    *extlist);
+static OSSL_BASIC_ATTR_CONSTRAINTS *v2i_OSSL_BASIC_ATTR_CONSTRAINTS(
+    X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *values);
+
+const X509V3_EXT_METHOD ossl_v3_battcons = {
+    NID_basic_att_constraints, 0,
+    ASN1_ITEM_ref(OSSL_BASIC_ATTR_CONSTRAINTS),
+    0, 0, 0, 0,
+    0, 0,
+    (X509V3_EXT_I2V) i2v_OSSL_BASIC_ATTR_CONSTRAINTS,
+    (X509V3_EXT_V2I)v2i_OSSL_BASIC_ATTR_CONSTRAINTS,
+    NULL, NULL,
+    NULL
+};
+
+ASN1_SEQUENCE(OSSL_BASIC_ATTR_CONSTRAINTS) = {
+    ASN1_OPT(OSSL_BASIC_ATTR_CONSTRAINTS, authority, ASN1_FBOOLEAN),
+    ASN1_OPT(OSSL_BASIC_ATTR_CONSTRAINTS, pathlen, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(OSSL_BASIC_ATTR_CONSTRAINTS)
+
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_BASIC_ATTR_CONSTRAINTS)
+
+static STACK_OF(CONF_VALUE) *i2v_OSSL_BASIC_ATTR_CONSTRAINTS(
+    X509V3_EXT_METHOD *method,
+    OSSL_BASIC_ATTR_CONSTRAINTS *battcons,
+    STACK_OF(CONF_VALUE) *extlist)
+{
+    X509V3_add_value_bool("authority", battcons->authority, &extlist);
+    X509V3_add_value_int("pathlen", battcons->pathlen, &extlist);
+    return extlist;
+}
+
+static OSSL_BASIC_ATTR_CONSTRAINTS *v2i_OSSL_BASIC_ATTR_CONSTRAINTS(
+    X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *values)
+{
+    OSSL_BASIC_ATTR_CONSTRAINTS *battcons = NULL;
+    CONF_VALUE *val;
+    int i;
+
+    if ((battcons = OSSL_BASIC_ATTR_CONSTRAINTS_new()) == NULL) {
+        ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
+        return NULL;
+    }
+    for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
+        val = sk_CONF_VALUE_value(values, i);
+        if (strcmp(val->name, "authority") == 0) {
+            if (!X509V3_get_value_bool(val, &battcons->authority))
+                goto err;
+        } else if (strcmp(val->name, "pathlen") == 0) {
+            if (!X509V3_get_value_int(val, &battcons->pathlen))
+                goto err;
+        } else {
+            ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NAME);
+            X509V3_conf_add_error_name_value(val);
+            goto err;
+        }
+    }
+    return battcons;
+ err:
+    OSSL_BASIC_ATTR_CONSTRAINTS_free(battcons);
+    return NULL;
+}
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index 2f859e0f130..37626aa8375 100644
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -126,6 +126,11 @@ typedef struct BASIC_CONSTRAINTS_st {
     ASN1_INTEGER *pathlen;
 } BASIC_CONSTRAINTS;
 
+typedef struct OSSL_BASIC_ATTR_CONSTRAINTS_st {
+    int authority;
+    ASN1_INTEGER *pathlen;
+} OSSL_BASIC_ATTR_CONSTRAINTS;
+
 typedef struct PKEY_USAGE_PERIOD_st {
     ASN1_GENERALIZEDTIME *notBefore;
     ASN1_GENERALIZEDTIME *notAfter;
@@ -511,6 +516,7 @@ typedef struct x509_purpose_st {
 # define X509V3_ADD_SILENT               0x10
 
 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
+DECLARE_ASN1_FUNCTIONS(OSSL_BASIC_ATTR_CONSTRAINTS)
 
 DECLARE_ASN1_FUNCTIONS(SXNET)
 DECLARE_ASN1_FUNCTIONS(SXNETID)