From: Damian Hobson-Garcia Date: Fri, 30 Jun 2023 21:03:57 +0000 (-0400) Subject: x509_acert: Add API to sign and verify attribute certificates X-Git-Tag: openssl-3.4.0-alpha1~644 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b97fb22f596bfb528e69402b1bdcdf144a563918;p=thirdparty%2Fopenssl.git x509_acert: Add API to sign and verify attribute certificates Reviewed-by: Tomas Mraz Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/15857) --- diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 95c91a0f206..3083eb1dca9 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include @@ -52,6 +53,16 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) return X509_REQ_verify_ex(a, r, NULL, NULL); } +int X509_ACERT_verify(X509_ACERT *a, EVP_PKEY *r) +{ + if (X509_ALGOR_cmp(&a->sig_alg, &a->acinfo->signature) != 0) + return 0; + + return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_ACERT_INFO), &a->sig_alg, + &a->signature, a->acinfo, + NULL, r, NULL, NULL); +} + int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) { return ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), @@ -174,6 +185,21 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) ASN1_ITEM_rptr(X509_CRL)); } +int X509_ACERT_sign(X509_ACERT *x, EVP_PKEY *pkey, const EVP_MD *md) +{ + return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_ACERT_INFO), &x->sig_alg, + &x->acinfo->signature, + &x->signature, x->acinfo, NULL, + pkey, md, NULL, NULL); +} + +int X509_ACERT_sign_ctx(X509_ACERT *x, EVP_MD_CTX *ctx) +{ + return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_ACERT_INFO), + &x->sig_alg, &x->acinfo->signature, &x->signature, + &x->acinfo, ctx); +} + int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) { return diff --git a/doc/man3/X509_sign.pod b/doc/man3/X509_sign.pod index 7ca8a1a55ec..75c968b1146 100644 --- a/doc/man3/X509_sign.pod +++ b/doc/man3/X509_sign.pod @@ -4,6 +4,7 @@ X509_sign, X509_sign_ctx, X509_REQ_sign, X509_REQ_sign_ctx, +X509_ACERT_sign, X509_ACERT_sign_ctx, X509_CRL_sign, X509_CRL_sign_ctx - sign certificate, certificate request, or CRL signature @@ -20,6 +21,11 @@ sign certificate, certificate request, or CRL signature int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx); + #include + + int X509_ACERT_sign(X509_ACERT *x, EVP_PKEY *pkey, const EVP_MD *md); + int X509_ACERT_sign_ctx(X509_ACERT *x, EVP_MD_CTX *ctx); + =head1 DESCRIPTION X509_sign() signs certificate I using private key I and message @@ -29,6 +35,7 @@ If the certificate information includes X.509 extensions, these two functions make sure that the certificate bears X.509 version 3. X509_REQ_sign(), X509_REQ_sign_ctx(), +X509_ACERT_sign(), X509_ACERT_sign_ctx(), X509_CRL_sign(), and X509_CRL_sign_ctx() sign certificate requests and CRLs, respectively. @@ -68,6 +75,9 @@ available in all versions of OpenSSL. The X509_sign_ctx(), X509_REQ_sign_ctx() and X509_CRL_sign_ctx() functions were added in OpenSSL 1.0.1. +The X509_ACERT_sign() and X509_ACERT_sign_ctx() functions were added +in OpenSSL 3.4. + =head1 COPYRIGHT Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod index 8cdb2154ae5..e6c35675f80 100644 --- a/doc/man3/X509_verify.pod +++ b/doc/man3/X509_verify.pod @@ -4,7 +4,7 @@ X509_verify, X509_self_signed, X509_REQ_verify_ex, X509_REQ_verify, -X509_CRL_verify - +X509_CRL_verify, X509_ACERT_verify - verify certificate, certificate request, or CRL signature =head1 SYNOPSIS @@ -19,6 +19,9 @@ verify certificate, certificate request, or CRL signature int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r); int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r); + #include + int X509_ACERT_verify(X509_CRL *a, EVP_PKEY *r); + =head1 DESCRIPTION X509_verify() verifies the signature of certificate I using public key @@ -31,8 +34,9 @@ authority key identifier (if present) must match the subject key identifier etc. The signature itself is actually verified only if B is 1, as for explicitly trusted certificates this verification is not worth the effort. -X509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify() -verify the signatures of certificate requests and CRLs, respectively. +X509_REQ_verify_ex(), X509_REQ_verify(), X509_CRL_verify() and X509_ACERT_verify() +verify the signatures of certificate requests, CRLs and attribute certificates +respectively. =head1 RETURN VALUES @@ -71,6 +75,8 @@ functions are available in all versions of OpenSSL. X509_REQ_verify_ex(), and X509_self_signed() were added in OpenSSL 3.0. +X509_ACERT_verify() was added in OpenSSL 3.4. + =head1 COPYRIGHT Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/x509_acert.h.in b/include/openssl/x509_acert.h.in index 8e5744c0d83..cbbb43ec86f 100644 --- a/include/openssl/x509_acert.h.in +++ b/include/openssl/x509_acert.h.in @@ -45,6 +45,10 @@ DECLARE_PEM_rw(X509_ACERT, X509_ACERT) X509_ACERT *d2i_X509_ACERT_bio(BIO *bp, X509_ACERT **acert); int i2d_X509_ACERT_bio(BIO *bp, const X509_ACERT *acert); +int X509_ACERT_sign(X509_ACERT *x, EVP_PKEY *pkey, const EVP_MD *md); +int X509_ACERT_sign_ctx(X509_ACERT *x, EVP_MD_CTX *ctx); +int X509_ACERT_verify(X509_ACERT *a, EVP_PKEY *r); + # define X509_ACERT_VERSION_2 1 const GENERAL_NAMES *X509_ACERT_get0_holder_entityName(const X509_ACERT *x); diff --git a/util/libcrypto.num b/util/libcrypto.num index 87657e437ab..9b4cd8388b6 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5612,3 +5612,6 @@ X509_ACERT_add1_attr ? 3_4_0 EXIST::FUNCTION: X509_ACERT_add1_attr_by_OBJ ? 3_4_0 EXIST::FUNCTION: X509_ACERT_add1_attr_by_NID ? 3_4_0 EXIST::FUNCTION: X509_ACERT_add1_attr_by_txt ? 3_4_0 EXIST::FUNCTION: +X509_ACERT_sign ? 3_4_0 EXIST::FUNCTION: +X509_ACERT_sign_ctx ? 3_4_0 EXIST::FUNCTION: +X509_ACERT_verify ? 3_4_0 EXIST::FUNCTION: