feat: support the authorityAttributeIdentifier X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25244)
2024-11-23 18:13:39 +08:00 · 2024-08-21 02:24:15 +00:00 · 2024-08-21 02:24:15 +00:00 · a6e0d6d5c0
commit a6e0d6d5c0
parent ad1d0cc999
6 changed files with 95 additions and 1 deletions
--- a/crypto/x509/build.info
+++ b/crypto/x509/build.info
@ -17,7 +17,7 @@ SOURCE[../../libcrypto]=\
        v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \
        v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
        x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \
-        v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c
+        v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c

 IF[{- !$disabled{'deprecated-3.0'} -}]
  SOURCE[../../libcrypto]=x509type.c
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@ -42,3 +42,4 @@ extern const X509V3_EXT_METHOD ossl_v3_user_notice;
 extern const X509V3_EXT_METHOD ossl_v3_battcons;
 extern const X509V3_EXT_METHOD ossl_v3_audit_identity;
 extern const X509V3_EXT_METHOD ossl_v3_issued_on_behalf_of;
+extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier;
--- a/crypto/x509/standard_exts.h
+++ b/crypto/x509/standard_exts.h
@ -76,6 +76,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
    &ossl_v3_issuer_sign_tool,
    &ossl_v3_tls_feature,
    &ossl_v3_ext_admission,
+    &ossl_v3_authority_attribute_identifier,
    &ossl_v3_battcons,
    &ossl_v3_delegated_name_constraints,
    &ossl_v3_user_notice,
--- a/crypto/x509/v3_authattid.c
+++ b/crypto/x509/v3_authattid.c
@ -0,0 +1,80 @@
+/*
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include <crypto/x509_acert.h>
+#include <openssl/x509_acert.h>
+#include "crypto/asn1.h"
+#include "ext_dat.h"
+
+DECLARE_ASN1_ITEM(OSSL_ISSUER_SERIAL)
+
+ASN1_ITEM_TEMPLATE(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX, OSSL_ISSUER_SERIAL)
+ASN1_ITEM_TEMPLATE_END(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+static int i2r_ISSUER_SERIAL(X509V3_EXT_METHOD *method,
+                             OSSL_ISSUER_SERIAL *iss,
+                             BIO *out, int indent)
+{
+    if (iss->issuer != NULL) {
+        BIO_printf(out, "%*sIssuer Names:\n", indent, "");
+        OSSL_GENERAL_NAMES_print(out, iss->issuer, indent);
+        BIO_puts(out, "\n");
+    } else {
+        BIO_printf(out, "%*sIssuer Names: <none>\n", indent, "");
+    }
+    BIO_printf(out, "%*sIssuer Serial: ", indent, "");
+    if (i2a_ASN1_INTEGER(out, &(iss->serial)) <= 0)
+        return 0;
+    BIO_puts(out, "\n");
+    if (iss->issuerUID != NULL) {
+        BIO_printf(out, "%*sIssuer UID: ", indent, "");
+        if (i2a_ASN1_STRING(out, iss->issuerUID, V_ASN1_BIT_STRING) <= 0)
+            return 0;
+        BIO_puts(out, "\n");
+    } else {
+        BIO_printf(out, "%*sIssuer UID: <none>\n", indent, "");
+    }
+    return 1;
+}
+
+static int i2r_auth_attr_id(X509V3_EXT_METHOD *method,
+                            OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX *aids,
+                            BIO *out, int indent)
+{
+    int i;
+    OSSL_ISSUER_SERIAL *aid;
+
+    for (i = 0; i < sk_OSSL_ISSUER_SERIAL_num(aids); i++) {
+        if (BIO_printf(out, "%*sIssuer-Serials:\n", indent, "") <= 0)
+            return 0;
+        aid = sk_OSSL_ISSUER_SERIAL_value(aids, i);
+        if (i2r_ISSUER_SERIAL(method, aid, out, indent + 4) <= 0)
+            return 0;
+        if (BIO_puts(out, "\n") <= 0)
+            return 0;
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier = {
+    NID_authority_attribute_identifier, X509V3_EXT_MULTILINE,
+    ASN1_ITEM_ref(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX),
+    0, 0, 0, 0,
+    0,
+    0,
+    0, 0,
+    (X509V3_EXT_I2R)i2r_auth_attr_id,
+    0,
+    NULL
+};
--- a/include/openssl/x509_acert.h.in
+++ b/include/openssl/x509_acert.h.in
@ -189,4 +189,11 @@ DECLARE_ASN1_FUNCTIONS(OSSL_TARGET)
 DECLARE_ASN1_FUNCTIONS(OSSL_TARGETS)
 DECLARE_ASN1_FUNCTIONS(OSSL_TARGETING_INFORMATION)

+typedef STACK_OF(OSSL_ISSUER_SERIAL) OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX;
+DECLARE_ASN1_FUNCTIONS(OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+{-
+    generate_stack_macros("OSSL_ISSUER_SERIAL");
+-}
+
 #endif
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@ -5734,3 +5734,8 @@ EVP_CIPHER_CTX_get_algor                5861	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_set_algor_params           5862	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_get_algor_params           5863	3_4_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_get_algor                  5864	3_4_0	EXIST::FUNCTION:
+d2i_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX  ?	3_5_0	EXIST::FUNCTION:
+i2d_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX  ?	3_5_0	EXIST::FUNCTION:
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_free ?	3_5_0	EXIST::FUNCTION:
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_new  ?	3_5_0	EXIST::FUNCTION:
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_it   ?	3_5_0	EXIST::FUNCTION: