From a6e0d6d5c064af19efa5f917715b0589626908f7 Mon Sep 17 00:00:00 2001 From: "Jonathan M. Wilbur" Date: Wed, 21 Aug 2024 02:24:15 +0000 Subject: [PATCH] feat: support the authorityAttributeIdentifier X.509v3 extension Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25244) --- crypto/x509/build.info | 2 +- crypto/x509/ext_dat.h | 1 + crypto/x509/standard_exts.h | 1 + crypto/x509/v3_authattid.c | 80 +++++++++++++++++++++++++++++++++ include/openssl/x509_acert.h.in | 7 +++ util/libcrypto.num | 5 +++ 6 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 crypto/x509/v3_authattid.c diff --git a/crypto/x509/build.info b/crypto/x509/build.info index 8f3e0528468..ea64c26061d 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -17,7 +17,7 @@ SOURCE[../../libcrypto]=\ v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \ v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \ x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \ - v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c + v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c IF[{- !$disabled{'deprecated-3.0'} -}] SOURCE[../../libcrypto]=x509type.c diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h index 9a52ba238af..1f08fe32029 100644 --- a/crypto/x509/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -42,3 +42,4 @@ extern const X509V3_EXT_METHOD ossl_v3_user_notice; extern const X509V3_EXT_METHOD ossl_v3_battcons; extern const X509V3_EXT_METHOD ossl_v3_audit_identity; extern const X509V3_EXT_METHOD ossl_v3_issued_on_behalf_of; +extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier; diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h index 4da6ebb8a54..477f8100100 100644 --- a/crypto/x509/standard_exts.h +++ b/crypto/x509/standard_exts.h @@ -76,6 +76,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = { &ossl_v3_issuer_sign_tool, &ossl_v3_tls_feature, &ossl_v3_ext_admission, + &ossl_v3_authority_attribute_identifier, &ossl_v3_battcons, &ossl_v3_delegated_name_constraints, &ossl_v3_user_notice, diff --git a/crypto/x509/v3_authattid.c b/crypto/x509/v3_authattid.c new file mode 100644 index 00000000000..65d9bb67eda --- /dev/null +++ b/crypto/x509/v3_authattid.c @@ -0,0 +1,80 @@ +/* + * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "crypto/asn1.h" +#include "ext_dat.h" + +DECLARE_ASN1_ITEM(OSSL_ISSUER_SERIAL) + +ASN1_ITEM_TEMPLATE(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX, OSSL_ISSUER_SERIAL) +ASN1_ITEM_TEMPLATE_END(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX) + +IMPLEMENT_ASN1_FUNCTIONS(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX) + +static int i2r_ISSUER_SERIAL(X509V3_EXT_METHOD *method, + OSSL_ISSUER_SERIAL *iss, + BIO *out, int indent) +{ + if (iss->issuer != NULL) { + BIO_printf(out, "%*sIssuer Names:\n", indent, ""); + OSSL_GENERAL_NAMES_print(out, iss->issuer, indent); + BIO_puts(out, "\n"); + } else { + BIO_printf(out, "%*sIssuer Names: \n", indent, ""); + } + BIO_printf(out, "%*sIssuer Serial: ", indent, ""); + if (i2a_ASN1_INTEGER(out, &(iss->serial)) <= 0) + return 0; + BIO_puts(out, "\n"); + if (iss->issuerUID != NULL) { + BIO_printf(out, "%*sIssuer UID: ", indent, ""); + if (i2a_ASN1_STRING(out, iss->issuerUID, V_ASN1_BIT_STRING) <= 0) + return 0; + BIO_puts(out, "\n"); + } else { + BIO_printf(out, "%*sIssuer UID: \n", indent, ""); + } + return 1; +} + +static int i2r_auth_attr_id(X509V3_EXT_METHOD *method, + OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX *aids, + BIO *out, int indent) +{ + int i; + OSSL_ISSUER_SERIAL *aid; + + for (i = 0; i < sk_OSSL_ISSUER_SERIAL_num(aids); i++) { + if (BIO_printf(out, "%*sIssuer-Serials:\n", indent, "") <= 0) + return 0; + aid = sk_OSSL_ISSUER_SERIAL_value(aids, i); + if (i2r_ISSUER_SERIAL(method, aid, out, indent + 4) <= 0) + return 0; + if (BIO_puts(out, "\n") <= 0) + return 0; + } + return 1; +} + +const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier = { + NID_authority_attribute_identifier, X509V3_EXT_MULTILINE, + ASN1_ITEM_ref(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX), + 0, 0, 0, 0, + 0, + 0, + 0, 0, + (X509V3_EXT_I2R)i2r_auth_attr_id, + 0, + NULL +}; diff --git a/include/openssl/x509_acert.h.in b/include/openssl/x509_acert.h.in index 76570d49549..bf4395eec6a 100644 --- a/include/openssl/x509_acert.h.in +++ b/include/openssl/x509_acert.h.in @@ -189,4 +189,11 @@ DECLARE_ASN1_FUNCTIONS(OSSL_TARGET) DECLARE_ASN1_FUNCTIONS(OSSL_TARGETS) DECLARE_ASN1_FUNCTIONS(OSSL_TARGETING_INFORMATION) +typedef STACK_OF(OSSL_ISSUER_SERIAL) OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX; +DECLARE_ASN1_FUNCTIONS(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX) + +{- + generate_stack_macros("OSSL_ISSUER_SERIAL"); +-} + #endif diff --git a/util/libcrypto.num b/util/libcrypto.num index b231ca40bd4..39b1068006c 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5734,3 +5734,8 @@ EVP_CIPHER_CTX_get_algor 5861 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_algor_params 5862 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_algor_params 5863 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_algor 5864 3_4_0 EXIST::FUNCTION: +d2i_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX ? 3_5_0 EXIST::FUNCTION: +i2d_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX ? 3_5_0 EXIST::FUNCTION: +OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_free ? 3_5_0 EXIST::FUNCTION: +OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_new ? 3_5_0 EXIST::FUNCTION: +OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_it ? 3_5_0 EXIST::FUNCTION: -- 2.47.2