From: Jonathan M. Wilbur Date: Wed, 11 Sep 2024 00:44:35 +0000 (+0000) Subject: feat: support the roleSpecCertIdentifier X.509v3 extension X-Git-Tag: openssl-3.5.0-alpha1~1112 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bda7b3edbbfa43f2209654c89fc8d74ad59e277f;p=thirdparty%2Fopenssl.git feat: support the roleSpecCertIdentifier X.509v3 extension Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25428) --- diff --git a/crypto/x509/build.info b/crypto/x509/build.info index ea64c26061d..9d15c481fd9 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -17,7 +17,8 @@ SOURCE[../../libcrypto]=\ v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \ v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \ x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \ - v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c + v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c \ + v3_rolespec.c IF[{- !$disabled{'deprecated-3.0'} -}] SOURCE[../../libcrypto]=x509type.c diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h index 1f08fe32029..b670e3843ad 100644 --- a/crypto/x509/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -43,3 +43,4 @@ extern const X509V3_EXT_METHOD ossl_v3_battcons; extern const X509V3_EXT_METHOD ossl_v3_audit_identity; extern const X509V3_EXT_METHOD ossl_v3_issued_on_behalf_of; extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier; +extern const X509V3_EXT_METHOD ossl_v3_role_spec_cert_identifier; diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h index 477f8100100..19e5eab161a 100644 --- a/crypto/x509/standard_exts.h +++ b/crypto/x509/standard_exts.h @@ -77,6 +77,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = { &ossl_v3_tls_feature, &ossl_v3_ext_admission, &ossl_v3_authority_attribute_identifier, + &ossl_v3_role_spec_cert_identifier, &ossl_v3_battcons, &ossl_v3_delegated_name_constraints, &ossl_v3_user_notice, diff --git a/crypto/x509/v3_rolespec.c b/crypto/x509/v3_rolespec.c new file mode 100644 index 00000000000..c371e145d7b --- /dev/null +++ b/crypto/x509/v3_rolespec.c @@ -0,0 +1,95 @@ +/* + * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "ext_dat.h" + +ASN1_SEQUENCE(OSSL_ROLE_SPEC_CERT_ID) = { + ASN1_EXP(OSSL_ROLE_SPEC_CERT_ID, roleName, GENERAL_NAME, 0), + ASN1_EXP(OSSL_ROLE_SPEC_CERT_ID, roleCertIssuer, GENERAL_NAME, 1), + ASN1_IMP_OPT(OSSL_ROLE_SPEC_CERT_ID, roleCertSerialNumber, ASN1_INTEGER, 2), + ASN1_IMP_SEQUENCE_OF_OPT(OSSL_ROLE_SPEC_CERT_ID, roleCertLocator, GENERAL_NAME, 3), +} ASN1_SEQUENCE_END(OSSL_ROLE_SPEC_CERT_ID) + +IMPLEMENT_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID) + +ASN1_ITEM_TEMPLATE(OSSL_ROLE_SPEC_CERT_ID_SYNTAX) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, + 0, OSSL_ROLE_SPEC_CERT_ID_SYNTAX, OSSL_ROLE_SPEC_CERT_ID) +ASN1_ITEM_TEMPLATE_END(OSSL_ROLE_SPEC_CERT_ID_SYNTAX) + +IMPLEMENT_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID_SYNTAX) + +static int i2r_OSSL_ROLE_SPEC_CERT_ID(X509V3_EXT_METHOD *method, + OSSL_ROLE_SPEC_CERT_ID *rscid, + BIO *out, int indent) +{ + if (BIO_printf(out, "%*sRole Name: ", indent, "") <= 0) + return 0; + if (GENERAL_NAME_print(out, rscid->roleName) <= 0) + return 0; + if (BIO_puts(out, "\n") <= 0) + return 0; + if (BIO_printf(out, "%*sRole Certificate Issuer: ", indent, "") <= 0) + return 0; + if (GENERAL_NAME_print(out, rscid->roleCertIssuer) <= 0) + return 0; + if (rscid->roleCertSerialNumber != NULL) { + if (BIO_puts(out, "\n") <= 0) + return 0; + if (BIO_printf(out, "%*sRole Certificate Serial Number: ", indent, "") <= 0) + return 0; + if (ossl_serial_number_print(out, rscid->roleCertSerialNumber, indent) != 0) + return 0; + } + if (rscid->roleCertLocator != NULL) { + if (BIO_puts(out, "\n") <= 0) + return 0; + if (BIO_printf(out, "%*sRole Certificate Locator:\n", indent, "") <= 0) + return 0; + if (OSSL_GENERAL_NAMES_print(out, rscid->roleCertLocator, indent) <= 0) + return 0; + } + return BIO_puts(out, "\n"); +} + +static int i2r_OSSL_ROLE_SPEC_CERT_ID_SYNTAX(X509V3_EXT_METHOD *method, + OSSL_ROLE_SPEC_CERT_ID_SYNTAX *rscids, + BIO *out, int indent) +{ + OSSL_ROLE_SPEC_CERT_ID *rscid; + int i; + + for (i = 0; i < sk_OSSL_ROLE_SPEC_CERT_ID_num(rscids); i++) { + if (i > 0 && BIO_puts(out, "\n") <= 0) + return 0; + if (BIO_printf(out, + "%*sRole Specification Certificate Identifier #%d:\n", + indent, "", i + 1) <= 0) + return 0; + rscid = sk_OSSL_ROLE_SPEC_CERT_ID_value(rscids, i); + if (i2r_OSSL_ROLE_SPEC_CERT_ID(method, rscid, out, indent + 4) != 1) + return 0; + } + return 1; +} + +const X509V3_EXT_METHOD ossl_v3_role_spec_cert_identifier = { + NID_role_spec_cert_identifier, X509V3_EXT_MULTILINE, + ASN1_ITEM_ref(OSSL_ROLE_SPEC_CERT_ID_SYNTAX), + 0, 0, 0, 0, + 0, 0, + 0, + 0, + (X509V3_EXT_I2R)i2r_OSSL_ROLE_SPEC_CERT_ID_SYNTAX, + NULL, + NULL +}; diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index 0f37e1348dc..5e0605fe9c3 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -1037,6 +1037,22 @@ DECLARE_ASN1_FUNCTIONS(OSSL_USER_NOTICE_SYNTAX) generate_stack_macros("USERNOTICE"); -} +typedef struct OSSL_ROLE_SPEC_CERT_ID_st { + GENERAL_NAME *roleName; + GENERAL_NAME *roleCertIssuer; + ASN1_INTEGER *roleCertSerialNumber; + GENERAL_NAMES *roleCertLocator; +} OSSL_ROLE_SPEC_CERT_ID; + +DECLARE_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID) +{- + generate_stack_macros("OSSL_ROLE_SPEC_CERT_ID"); +-} + +typedef STACK_OF(OSSL_ROLE_SPEC_CERT_ID) OSSL_ROLE_SPEC_CERT_ID_SYNTAX; + +DECLARE_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID_SYNTAX) + # ifdef __cplusplus } # endif