From: Jonathan M. Wilbur <jonathan@wilbur.space>
Date: Thu, 12 Dec 2024 14:29:50 +0000 (+0000)
Subject: feat: support the allowedAttributeAssignments X.509v3 extension
X-Git-Tag: openssl-3.5.0-alpha1~795
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9598bc15e9bcc137182c709057b79aef1d347a06;p=thirdparty%2Fopenssl.git

feat: support the allowedAttributeAssignments X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26163)
---

diff --git a/crypto/x509/build.info b/crypto/x509/build.info
index 204239f8380..c9ed634b86a 100644
--- a/crypto/x509/build.info
+++ b/crypto/x509/build.info
@@ -18,7 +18,7 @@ SOURCE[../../libcrypto]=\
         v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
         x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \
         v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c \
-        v3_rolespec.c v3_attrdesc.c v3_timespec.c v3_attrmap.c
+        v3_rolespec.c v3_attrdesc.c v3_timespec.c v3_attrmap.c v3_aaa.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c
diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h
index d1ec3877936..291a3df5800 100644
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@@ -47,3 +47,4 @@ extern const X509V3_EXT_METHOD ossl_v3_role_spec_cert_identifier;
 extern const X509V3_EXT_METHOD ossl_v3_attribute_descriptor;
 extern const X509V3_EXT_METHOD ossl_v3_time_specification;
 extern const X509V3_EXT_METHOD ossl_v3_attribute_mappings;
+extern const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments;
diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h
index 9bf6a77d812..2fe142f9cfc 100644
--- a/crypto/x509/standard_exts.h
+++ b/crypto/x509/standard_exts.h
@@ -91,6 +91,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_issued_on_behalf_of,
     &ossl_v3_single_use,
     &ossl_v3_group_ac,
+    &ossl_v3_allowed_attribute_assignments,
     &ossl_v3_attribute_mappings,
     &ossl_v3_holder_name_constraints,
     &ossl_v3_associated_info,
diff --git a/crypto/x509/v3_aaa.c b/crypto/x509/v3_aaa.c
new file mode 100644
index 00000000000..622c88f8d69
--- /dev/null
+++ b/crypto/x509/v3_aaa.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include <openssl/x509.h>
+#include <crypto/x509.h>
+#include "ext_dat.h"
+
+ASN1_CHOICE(OSSL_ALLOWED_ATTRIBUTES_CHOICE) = {
+    ASN1_IMP(OSSL_ALLOWED_ATTRIBUTES_CHOICE, choice.attributeType, ASN1_OBJECT,
+             OSSL_AAA_ATTRIBUTE_TYPE),
+    ASN1_IMP(OSSL_ALLOWED_ATTRIBUTES_CHOICE, choice.attributeTypeandValues,
+             X509_ATTRIBUTE, OSSL_AAA_ATTRIBUTE_VALUES),
+} ASN1_CHOICE_END(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
+
+ASN1_SEQUENCE(OSSL_ALLOWED_ATTRIBUTES_ITEM) = {
+    ASN1_IMP_SET_OF(OSSL_ALLOWED_ATTRIBUTES_ITEM, attributes,
+                    OSSL_ALLOWED_ATTRIBUTES_CHOICE, 0),
+    /* This MUST be EXPLICIT, because it contains a CHOICE. */
+    ASN1_EXP(OSSL_ALLOWED_ATTRIBUTES_ITEM, holderDomain, GENERAL_NAME, 1),
+} ASN1_SEQUENCE_END(OSSL_ALLOWED_ATTRIBUTES_ITEM)
+
+ASN1_ITEM_TEMPLATE(OSSL_ALLOWED_ATTRIBUTES_SYNTAX) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, OSSL_ALLOWED_ATTRIBUTES_SYNTAX,
+                          OSSL_ALLOWED_ATTRIBUTES_ITEM)
+ASN1_ITEM_TEMPLATE_END(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_ITEM)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
+
+static int i2r_ALLOWED_ATTRIBUTES_CHOICE(X509V3_EXT_METHOD *method,
+                                         OSSL_ALLOWED_ATTRIBUTES_CHOICE *a,
+                                         BIO *out, int indent)
+{
+    ASN1_OBJECT *attr_obj;
+    int attr_nid, j;
+    X509_ATTRIBUTE *attr;
+    ASN1_TYPE *av;
+
+    switch (a->type) {
+    case (OSSL_AAA_ATTRIBUTE_TYPE):
+        if (BIO_printf(out, "%*sAttribute Type: ", indent, "") <= 0)
+            return 0;
+        if (i2a_ASN1_OBJECT(out, a->choice.attributeType) <= 0)
+            return 0;
+        return BIO_puts(out, "\n") > 0;
+    case (OSSL_AAA_ATTRIBUTE_VALUES):
+        attr = a->choice.attributeTypeandValues;
+        attr_obj = X509_ATTRIBUTE_get0_object(attr);
+        attr_nid = OBJ_obj2nid(attr_obj);
+        if (BIO_printf(out, "%*sAttribute Values: ", indent, "") <= 0)
+            return 0;
+        if (i2a_ASN1_OBJECT(out, attr_obj) <= 0)
+            return 0;
+        if (BIO_puts(out, "\n") <= 0)
+            return 0;
+        for (j = 0; j < X509_ATTRIBUTE_count(attr); j++) {
+            av = X509_ATTRIBUTE_get0_type(attr, j);
+            if (ossl_print_attribute_value(out, attr_nid, av, indent + 4) <= 0)
+                return 0;
+            if (BIO_puts(out, "\n") <= 0)
+                return 0;
+        }
+        break;
+    default:
+        return 0;
+    }
+    return 1;
+}
+
+static int i2r_ALLOWED_ATTRIBUTES_ITEM(X509V3_EXT_METHOD *method,
+                                       OSSL_ALLOWED_ATTRIBUTES_ITEM *aai,
+                                       BIO *out, int indent)
+{
+    int i;
+    OSSL_ALLOWED_ATTRIBUTES_CHOICE *a;
+
+    for (i = 0; i < sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_num(aai->attributes); i++) {
+        if (BIO_printf(out, "%*sAllowed Attribute Type or Values:\n", indent, "") <= 0)
+            return 0;
+        a = sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_value(aai->attributes, i);
+        if (i2r_ALLOWED_ATTRIBUTES_CHOICE(method, a, out, indent + 4) <= 0)
+            return 0;
+    }
+    if (BIO_printf(out, "%*sHolder Domain: ", indent, "") <= 0)
+        return 0;
+    if (GENERAL_NAME_print(out, aai->holderDomain) <= 0)
+        return 0;
+    if (BIO_puts(out, "\n") <= 0)
+        return 0;
+    return 1;
+}
+
+static int i2r_ALLOWED_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
+                                         OSSL_ALLOWED_ATTRIBUTES_SYNTAX *aaa,
+                                         BIO *out, int indent)
+{
+    int i;
+    OSSL_ALLOWED_ATTRIBUTES_ITEM *aai;
+
+    for (i = 0; i < sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_num(aaa); i++) {
+        if (BIO_printf(out, "%*sAllowed Attributes:\n", indent, "") <= 0)
+            return 0;
+        aai = sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_value(aaa, i);
+        if (i2r_ALLOWED_ATTRIBUTES_ITEM(method, aai, out, indent + 4) <= 0)
+            return 0;
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments = {
+    NID_allowed_attribute_assignments, 0,
+    ASN1_ITEM_ref(OSSL_ALLOWED_ATTRIBUTES_SYNTAX),
+    0, 0, 0, 0,
+    0, 0,
+    0,
+    0,
+    (X509V3_EXT_I2R)i2r_ALLOWED_ATTRIBUTES_SYNTAX,
+    0,
+    NULL
+};
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index dd23a11420c..b22334d14f1 100644
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -1316,6 +1316,36 @@ DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTE_MAPPINGS)
     generate_stack_macros("OSSL_ATTRIBUTE_MAPPING");
 -}
 
+# define OSSL_AAA_ATTRIBUTE_TYPE     0
+# define OSSL_AAA_ATTRIBUTE_VALUES   1
+
+typedef struct ALLOWED_ATTRIBUTES_CHOICE_st {
+    int type;
+    union {
+        ASN1_OBJECT *attributeType;
+        X509_ATTRIBUTE *attributeTypeandValues;
+    } choice;
+} OSSL_ALLOWED_ATTRIBUTES_CHOICE;
+
+typedef struct ALLOWED_ATTRIBUTES_ITEM_st {
+    STACK_OF(OSSL_ALLOWED_ATTRIBUTES_CHOICE) *attributes;
+    GENERAL_NAME *holderDomain;
+} OSSL_ALLOWED_ATTRIBUTES_ITEM;
+
+typedef STACK_OF(OSSL_ALLOWED_ATTRIBUTES_ITEM) OSSL_ALLOWED_ATTRIBUTES_SYNTAX;
+
+DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
+DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_ITEM)
+DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
+
+{-
+    generate_stack_macros("OSSL_ALLOWED_ATTRIBUTES_CHOICE");
+-}
+
+{-
+    generate_stack_macros("OSSL_ALLOWED_ATTRIBUTES_ITEM");
+-}
+
 # ifdef  __cplusplus
 }
 # endif
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8da730bb691..9ad6d5ea7d5 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5861,3 +5861,18 @@ i2d_OSSL_ATAV                           ?	3_5_0	EXIST::FUNCTION:
 OSSL_ATAV_free                          ?	3_5_0	EXIST::FUNCTION:
 OSSL_ATAV_new                           ?	3_5_0	EXIST::FUNCTION:
 OSSL_ATAV_it                            ?	3_5_0	EXIST::FUNCTION:
+d2i_OSSL_ALLOWED_ATTRIBUTES_CHOICE      ?	3_5_0	EXIST::FUNCTION:
+i2d_OSSL_ALLOWED_ATTRIBUTES_CHOICE      ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_free     ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_new      ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_it       ?	3_5_0	EXIST::FUNCTION:
+d2i_OSSL_ALLOWED_ATTRIBUTES_ITEM        ?	3_5_0	EXIST::FUNCTION:
+i2d_OSSL_ALLOWED_ATTRIBUTES_ITEM        ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_ITEM_free       ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_ITEM_new        ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_ITEM_it         ?	3_5_0	EXIST::FUNCTION:
+d2i_OSSL_ALLOWED_ATTRIBUTES_SYNTAX      ?	3_5_0	EXIST::FUNCTION:
+i2d_OSSL_ALLOWED_ATTRIBUTES_SYNTAX      ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_free     ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_new      ?	3_5_0	EXIST::FUNCTION:
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_it       ?	3_5_0	EXIST::FUNCTION: