feat: support the allowedAttributeAssignments X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26163)

diff --git a/crypto/x509/build.info b/crypto/x509/build.info
index 204239f8380b528189d73a2bc1b2e07d64e5b67d..c9ed634b86a61dd3c7ec76616f73b882917d5378 100644 (file)
--- a/crypto/x509/build.info
+++ b/crypto/x509/build.info
@@ -18,7 +18,7 @@ SOURCE[../../libcrypto]=\
         v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
         x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \
         v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c \
-        v3_rolespec.c v3_attrdesc.c v3_timespec.c v3_attrmap.c
+        v3_rolespec.c v3_attrdesc.c v3_timespec.c v3_attrmap.c v3_aaa.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c

diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h
index d1ec38779368683d2001e62eb8c4c04285db98bb..291a3df580079db20ed905293cf046f8079e1579 100644 (file)
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@@ -47,3 +47,4 @@ extern const X509V3_EXT_METHOD ossl_v3_role_spec_cert_identifier;
 extern const X509V3_EXT_METHOD ossl_v3_attribute_descriptor;
 extern const X509V3_EXT_METHOD ossl_v3_time_specification;
 extern const X509V3_EXT_METHOD ossl_v3_attribute_mappings;
+extern const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments;

diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h
index 9bf6a77d812d69596f98ff997fbcfe09851aed36..2fe142f9cfc8053c29a8b468a86bd59c1f99c048 100644 (file)
--- a/crypto/x509/standard_exts.h
+++ b/crypto/x509/standard_exts.h
@@ -91,6 +91,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_issued_on_behalf_of,
     &ossl_v3_single_use,
     &ossl_v3_group_ac,
+    &ossl_v3_allowed_attribute_assignments,
     &ossl_v3_attribute_mappings,
     &ossl_v3_holder_name_constraints,
     &ossl_v3_associated_info,

diff --git a/crypto/x509/v3_aaa.c b/crypto/x509/v3_aaa.c
new file mode 100644 (file)
index 0000000..622c88f
--- /dev/null
+++ b/crypto/x509/v3_aaa.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include <openssl/x509.h>
+#include <crypto/x509.h>
+#include "ext_dat.h"
+
+ASN1_CHOICE(OSSL_ALLOWED_ATTRIBUTES_CHOICE) = {
+    ASN1_IMP(OSSL_ALLOWED_ATTRIBUTES_CHOICE, choice.attributeType, ASN1_OBJECT,
+             OSSL_AAA_ATTRIBUTE_TYPE),
+    ASN1_IMP(OSSL_ALLOWED_ATTRIBUTES_CHOICE, choice.attributeTypeandValues,
+             X509_ATTRIBUTE, OSSL_AAA_ATTRIBUTE_VALUES),
+} ASN1_CHOICE_END(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
+
+ASN1_SEQUENCE(OSSL_ALLOWED_ATTRIBUTES_ITEM) = {
+    ASN1_IMP_SET_OF(OSSL_ALLOWED_ATTRIBUTES_ITEM, attributes,
+                    OSSL_ALLOWED_ATTRIBUTES_CHOICE, 0),
+    /* This MUST be EXPLICIT, because it contains a CHOICE. */
+    ASN1_EXP(OSSL_ALLOWED_ATTRIBUTES_ITEM, holderDomain, GENERAL_NAME, 1),
+} ASN1_SEQUENCE_END(OSSL_ALLOWED_ATTRIBUTES_ITEM)
+
+ASN1_ITEM_TEMPLATE(OSSL_ALLOWED_ATTRIBUTES_SYNTAX) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, OSSL_ALLOWED_ATTRIBUTES_SYNTAX,
+                          OSSL_ALLOWED_ATTRIBUTES_ITEM)
+ASN1_ITEM_TEMPLATE_END(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_ITEM)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
+
+static int i2r_ALLOWED_ATTRIBUTES_CHOICE(X509V3_EXT_METHOD *method,
+                                         OSSL_ALLOWED_ATTRIBUTES_CHOICE *a,
+                                         BIO *out, int indent)
+{
+    ASN1_OBJECT *attr_obj;
+    int attr_nid, j;
+    X509_ATTRIBUTE *attr;
+    ASN1_TYPE *av;
+
+    switch (a->type) {
+    case (OSSL_AAA_ATTRIBUTE_TYPE):
+        if (BIO_printf(out, "%*sAttribute Type: ", indent, "") <= 0)
+            return 0;
+        if (i2a_ASN1_OBJECT(out, a->choice.attributeType) <= 0)
+            return 0;
+        return BIO_puts(out, "\n") > 0;
+    case (OSSL_AAA_ATTRIBUTE_VALUES):
+        attr = a->choice.attributeTypeandValues;
+        attr_obj = X509_ATTRIBUTE_get0_object(attr);
+        attr_nid = OBJ_obj2nid(attr_obj);
+        if (BIO_printf(out, "%*sAttribute Values: ", indent, "") <= 0)
+            return 0;
+        if (i2a_ASN1_OBJECT(out, attr_obj) <= 0)
+            return 0;
+        if (BIO_puts(out, "\n") <= 0)
+            return 0;
+        for (j = 0; j < X509_ATTRIBUTE_count(attr); j++) {
+            av = X509_ATTRIBUTE_get0_type(attr, j);
+            if (ossl_print_attribute_value(out, attr_nid, av, indent + 4) <= 0)
+                return 0;
+            if (BIO_puts(out, "\n") <= 0)
+                return 0;
+        }
+        break;
+    default:
+        return 0;
+    }
+    return 1;
+}
+
+static int i2r_ALLOWED_ATTRIBUTES_ITEM(X509V3_EXT_METHOD *method,
+                                       OSSL_ALLOWED_ATTRIBUTES_ITEM *aai,
+                                       BIO *out, int indent)
+{
+    int i;
+    OSSL_ALLOWED_ATTRIBUTES_CHOICE *a;
+
+    for (i = 0; i < sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_num(aai->attributes); i++) {
+        if (BIO_printf(out, "%*sAllowed Attribute Type or Values:\n", indent, "") <= 0)
+            return 0;
+        a = sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_value(aai->attributes, i);
+        if (i2r_ALLOWED_ATTRIBUTES_CHOICE(method, a, out, indent + 4) <= 0)
+            return 0;
+    }
+    if (BIO_printf(out, "%*sHolder Domain: ", indent, "") <= 0)
+        return 0;
+    if (GENERAL_NAME_print(out, aai->holderDomain) <= 0)
+        return 0;
+    if (BIO_puts(out, "\n") <= 0)
+        return 0;
+    return 1;
+}
+
+static int i2r_ALLOWED_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
+                                         OSSL_ALLOWED_ATTRIBUTES_SYNTAX *aaa,
+                                         BIO *out, int indent)
+{
+    int i;
+    OSSL_ALLOWED_ATTRIBUTES_ITEM *aai;
+
+    for (i = 0; i < sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_num(aaa); i++) {
+        if (BIO_printf(out, "%*sAllowed Attributes:\n", indent, "") <= 0)
+            return 0;
+        aai = sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_value(aaa, i);
+        if (i2r_ALLOWED_ATTRIBUTES_ITEM(method, aai, out, indent + 4) <= 0)
+            return 0;
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments = {
+    NID_allowed_attribute_assignments, 0,
+    ASN1_ITEM_ref(OSSL_ALLOWED_ATTRIBUTES_SYNTAX),
+    0, 0, 0, 0,
+    0, 0,
+    0,
+    0,
+    (X509V3_EXT_I2R)i2r_ALLOWED_ATTRIBUTES_SYNTAX,
+    0,
+    NULL
+};

diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index dd23a11420cedb86bc3c5e6baebd9e453340d6a1..b22334d14f15da95b9d6889e5d4b686d25e2db0c 100644 (file)
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -1316,6 +1316,36 @@ DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTE_MAPPINGS)
     generate_stack_macros("OSSL_ATTRIBUTE_MAPPING");
 -}
 
+# define OSSL_AAA_ATTRIBUTE_TYPE     0
+# define OSSL_AAA_ATTRIBUTE_VALUES   1
+
+typedef struct ALLOWED_ATTRIBUTES_CHOICE_st {
+    int type;
+    union {
+        ASN1_OBJECT *attributeType;
+        X509_ATTRIBUTE *attributeTypeandValues;
+    } choice;
+} OSSL_ALLOWED_ATTRIBUTES_CHOICE;
+
+typedef struct ALLOWED_ATTRIBUTES_ITEM_st {
+    STACK_OF(OSSL_ALLOWED_ATTRIBUTES_CHOICE) *attributes;
+    GENERAL_NAME *holderDomain;
+} OSSL_ALLOWED_ATTRIBUTES_ITEM;
+
+typedef STACK_OF(OSSL_ALLOWED_ATTRIBUTES_ITEM) OSSL_ALLOWED_ATTRIBUTES_SYNTAX;
+
+DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
+DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_ITEM)
+DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
+
+{-
+    generate_stack_macros("OSSL_ALLOWED_ATTRIBUTES_CHOICE");
+-}
+
+{-
+    generate_stack_macros("OSSL_ALLOWED_ATTRIBUTES_ITEM");
+-}
+
 # ifdef  __cplusplus
 }
 # endif

diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8da730bb691b769a2e79fcbdc5cc1bf8e545f6c7..9ad6d5ea7d58f4d3d8d60e8c10de769dfebaaf93 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5861,3 +5861,18 @@ i2d_OSSL_ATAV                           ?        3_5_0   EXIST::FUNCTION:
 OSSL_ATAV_free                          ?      3_5_0   EXIST::FUNCTION:
 OSSL_ATAV_new                           ?      3_5_0   EXIST::FUNCTION:
 OSSL_ATAV_it                            ?      3_5_0   EXIST::FUNCTION:
+d2i_OSSL_ALLOWED_ATTRIBUTES_CHOICE      ?      3_5_0   EXIST::FUNCTION:
+i2d_OSSL_ALLOWED_ATTRIBUTES_CHOICE      ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_free     ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_new      ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_it       ?      3_5_0   EXIST::FUNCTION:
+d2i_OSSL_ALLOWED_ATTRIBUTES_ITEM        ?      3_5_0   EXIST::FUNCTION:
+i2d_OSSL_ALLOWED_ATTRIBUTES_ITEM        ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_ITEM_free       ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_ITEM_new        ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_ITEM_it         ?      3_5_0   EXIST::FUNCTION:
+d2i_OSSL_ALLOWED_ATTRIBUTES_SYNTAX      ?      3_5_0   EXIST::FUNCTION:
+i2d_OSSL_ALLOWED_ATTRIBUTES_SYNTAX      ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_free     ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_new      ?      3_5_0   EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_it       ?      3_5_0   EXIST::FUNCTION: