feat: support userNotice X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24761)

crypto/x509/build.info

@@ -16,7 +16,8 @@ SOURCE[../../libcrypto]=\
         pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
         v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \
         v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
-        x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c
+        x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \
+        v3_usernotice.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c

crypto/x509/ext_dat.h

@@ -38,3 +38,4 @@ extern const X509V3_EXT_METHOD ossl_v3_subj_dir_attrs;
 extern const X509V3_EXT_METHOD ossl_v3_associated_info;
 extern const X509V3_EXT_METHOD ossl_v3_acc_cert_policies;
 extern const X509V3_EXT_METHOD ossl_v3_acc_priv_policies;
+extern const X509V3_EXT_METHOD ossl_v3_user_notice;

crypto/x509/standard_exts.h

@@ -76,6 +76,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_tls_feature,
     &ossl_v3_ext_admission,
     &ossl_v3_delegated_name_constraints,
+    &ossl_v3_user_notice,
     &ossl_v3_soa_identifier,
     &ossl_v3_acc_cert_policies,
     &ossl_v3_acc_priv_policies,

crypto/x509/v3_sda.c

@@ -12,14 +12,14 @@
 #include <crypto/x509.h>
 #include "ext_dat.h"
 
-ASN1_ITEM_TEMPLATE(ATTRIBUTES_SYNTAX) =
+ASN1_ITEM_TEMPLATE(OSSL_ATTRIBUTES_SYNTAX) =
         ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Attributes, X509_ATTRIBUTE)
-ASN1_ITEM_TEMPLATE_END(ATTRIBUTES_SYNTAX)
+ASN1_ITEM_TEMPLATE_END(OSSL_ATTRIBUTES_SYNTAX)
 
-IMPLEMENT_ASN1_FUNCTIONS(ATTRIBUTES_SYNTAX)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_ATTRIBUTES_SYNTAX)
 
 static int i2r_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
-                                 ATTRIBUTES_SYNTAX *attrlst,
+                                 OSSL_ATTRIBUTES_SYNTAX *attrlst,
                                  BIO *out, int indent)
 {
     X509_ATTRIBUTE *attr;
@@ -71,7 +71,7 @@ static int i2r_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
 
 const X509V3_EXT_METHOD ossl_v3_subj_dir_attrs = {
     NID_subject_directory_attributes, X509V3_EXT_MULTILINE,
-    ASN1_ITEM_ref(ATTRIBUTES_SYNTAX),
+    ASN1_ITEM_ref(OSSL_ATTRIBUTES_SYNTAX),
     0, 0, 0, 0,
     0, 0, 0, 0,
     (X509V3_EXT_I2R)i2r_ATTRIBUTES_SYNTAX,
@@ -81,7 +81,7 @@ const X509V3_EXT_METHOD ossl_v3_subj_dir_attrs = {
 
 const X509V3_EXT_METHOD ossl_v3_associated_info = {
     NID_associated_information, X509V3_EXT_MULTILINE,
-    ASN1_ITEM_ref(ATTRIBUTES_SYNTAX),
+    ASN1_ITEM_ref(OSSL_ATTRIBUTES_SYNTAX),
     0, 0, 0, 0,
     0, 0, 0, 0,
     (X509V3_EXT_I2R)i2r_ATTRIBUTES_SYNTAX,

crypto/x509/v3_usernotice.c

@@ -0,0 +1,94 @@
+/*
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include "ext_dat.h"
+
+ASN1_ITEM_TEMPLATE(OSSL_USER_NOTICE_SYNTAX) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_USER_NOTICE_SYNTAX, USERNOTICE)
+ASN1_ITEM_TEMPLATE_END(OSSL_USER_NOTICE_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_USER_NOTICE_SYNTAX)
+
+static int print_notice(BIO *out, USERNOTICE *notice, int indent)
+{
+    int i;
+    ASN1_INTEGER *num;
+    char *tmp;
+
+    if (notice->noticeref) {
+        NOTICEREF *ref;
+        ref = notice->noticeref;
+        if (BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
+                   ref->organization->length,
+                   ref->organization->data) <= 0)
+            return 0;
+        if (BIO_printf(out, "%*sNumber%s: ", indent, "",
+                   sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "") <= 0)
+            return 0;
+        for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
+            num = sk_ASN1_INTEGER_value(ref->noticenos, i);
+            if (i && BIO_puts(out, ", ") <= 0)
+                return 0;
+            if (num == NULL && BIO_puts(out, "(null)") <= 0)
+                return 0;
+            else {
+                tmp = i2s_ASN1_INTEGER(NULL, num);
+                if (tmp == NULL)
+                    return 0;
+                if (BIO_puts(out, tmp) <= 0) {
+                    OPENSSL_free(tmp);
+                    return 0;
+                }
+                OPENSSL_free(tmp);
+            }
+        }
+        if (notice->exptext && BIO_puts(out, "\n") <= 0)
+            return 0;
+    }
+    if (notice->exptext == NULL)
+        return 1;
+
+    return BIO_printf(out, "%*sExplicit Text: %.*s", indent, "",
+                notice->exptext->length,
+                notice->exptext->data) >= 0;
+}
+
+static int i2r_USER_NOTICE_SYNTAX(X509V3_EXT_METHOD *method,
+                                  OSSL_USER_NOTICE_SYNTAX *uns,
+                                  BIO *out, int indent)
+{
+    int i;
+    USERNOTICE *unotice;
+
+    if (BIO_printf(out, "%*sUser Notices:\n", indent, "") <= 0)
+        return 0;
+
+    for (i = 0; i < sk_USERNOTICE_num(uns); i++) {
+        unotice = sk_USERNOTICE_value(uns, i);
+        if (!print_notice(out, unotice, indent + 4))
+            return 0;
+        if (BIO_puts(out, "\n\n") <= 0)
+            return 0;
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD ossl_v3_user_notice = {
+    NID_user_notice, 0,
+    ASN1_ITEM_ref(OSSL_USER_NOTICE_SYNTAX),
+    0, 0, 0, 0,
+    0,
+    0,
+    0, 0,
+    (X509V3_EXT_I2R)i2r_USER_NOTICE_SYNTAX,
+    0,
+    NULL
+};

doc/man3/X509_dup.pod

@@ -19,9 +19,6 @@ ASIdentifiers_free,
 ASIdentifiers_new,
 ASRange_free,
 ASRange_new,
-ATTRIBUTES_SYNTAX_free,
-ATTRIBUTES_SYNTAX_it,
-ATTRIBUTES_SYNTAX_new,
 AUTHORITY_INFO_ACCESS_free,
 AUTHORITY_INFO_ACCESS_new,
 AUTHORITY_KEYID_free,
@@ -139,6 +136,9 @@ OCSP_SIGNATURE_free,
 OCSP_SIGNATURE_new,
 OCSP_SINGLERESP_free,
 OCSP_SINGLERESP_new,
+OSSL_ATTRIBUTES_SYNTAX_free,
+OSSL_ATTRIBUTES_SYNTAX_it,
+OSSL_ATTRIBUTES_SYNTAX_new,
 OSSL_CMP_ATAVS_new,
 OSSL_CMP_ATAVS_free,
 OSSL_CMP_ATAVS_it,
@@ -204,6 +204,9 @@ OSSL_ISSUER_SERIAL_free,
 OSSL_ISSUER_SERIAL_new,
 OSSL_OBJECT_DIGEST_INFO_free,
 OSSL_OBJECT_DIGEST_INFO_new,
+OSSL_USER_NOTICE_SYNTAX_free,
+OSSL_USER_NOTICE_SYNTAX_new,
+OSSL_USER_NOTICE_SYNTAX_it,
 OTHERNAME_free,
 OTHERNAME_new,
 PBE2PARAM_free,

doc/man3/d2i_X509.pod

@@ -38,7 +38,6 @@ d2i_ASN1_UTCTIME,
 d2i_ASN1_UTF8STRING,
 d2i_ASN1_VISIBLESTRING,
 d2i_ASRange,
-d2i_ATTRIBUTES_SYNTAX,
 d2i_AUTHORITY_INFO_ACCESS,
 d2i_AUTHORITY_KEYID,
 d2i_BASIC_CONSTRAINTS,
@@ -90,6 +89,7 @@ d2i_OCSP_REVOKEDINFO,
 d2i_OCSP_SERVICELOC,
 d2i_OCSP_SIGNATURE,
 d2i_OCSP_SINGLERESP,
+d2i_OSSL_ATTRIBUTES_SYNTAX,
 d2i_OSSL_CMP_ATAVS,
 d2i_OSSL_CMP_MSG,
 d2i_OSSL_CMP_PKIHEADER,
@@ -109,6 +109,7 @@ d2i_OSSL_TARGET_CERT,
 d2i_OSSL_TARGET,
 d2i_OSSL_TARGETING_INFORMATION,
 d2i_OSSL_TARGETS,
+d2i_OSSL_USER_NOTICE_SYNTAX,
 d2i_OTHERNAME,
 d2i_PBE2PARAM,
 d2i_PBEPARAM,
@@ -221,7 +222,6 @@ i2d_ASN1_UTF8STRING,
 i2d_ASN1_VISIBLESTRING,
 i2d_ASN1_bio_stream,
 i2d_ASRange,
-i2d_ATTRIBUTES_SYNTAX,
 i2d_AUTHORITY_INFO_ACCESS,
 i2d_AUTHORITY_KEYID,
 i2d_BASIC_CONSTRAINTS,
@@ -273,6 +273,7 @@ i2d_OCSP_REVOKEDINFO,
 i2d_OCSP_SERVICELOC,
 i2d_OCSP_SIGNATURE,
 i2d_OCSP_SINGLERESP,
+i2d_OSSL_ATTRIBUTES_SYNTAX,
 i2d_OSSL_CMP_ATAVS,
 i2d_OSSL_CMP_MSG,
 i2d_OSSL_CMP_PKIHEADER,
@@ -292,6 +293,7 @@ i2d_OSSL_TARGET_CERT,
 i2d_OSSL_TARGET,
 i2d_OSSL_TARGETING_INFORMATION,
 i2d_OSSL_TARGETS,
+i2d_OSSL_USER_NOTICE_SYNTAX,
 i2d_OTHERNAME,
 i2d_PBE2PARAM,
 i2d_PBEPARAM,

include/openssl/x509v3.h.in

@@ -1021,8 +1021,15 @@ void PROFESSION_INFO_set0_registrationNumber(
 
 int OSSL_GENERAL_NAMES_print(BIO *out, GENERAL_NAMES *gens, int indent);
 
-typedef STACK_OF(X509_ATTRIBUTE) ATTRIBUTES_SYNTAX;
-DECLARE_ASN1_FUNCTIONS(ATTRIBUTES_SYNTAX)
+typedef STACK_OF(X509_ATTRIBUTE) OSSL_ATTRIBUTES_SYNTAX;
+DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTES_SYNTAX)
+
+typedef STACK_OF(USERNOTICE) OSSL_USER_NOTICE_SYNTAX;
+DECLARE_ASN1_FUNCTIONS(OSSL_USER_NOTICE_SYNTAX)
+
+{-
+    generate_stack_macros("USERNOTICE");
+-}
 
 # ifdef  __cplusplus
 }

util/libcrypto.num

@@ -5683,10 +5683,15 @@ OSSL_TARGETING_INFORMATION_free         ?	3_4_0	EXIST::FUNCTION:
 OSSL_TARGETING_INFORMATION_new          ?	3_4_0	EXIST::FUNCTION:
 OSSL_TARGETING_INFORMATION_it           ?	3_4_0	EXIST::FUNCTION:
 OSSL_GENERAL_NAMES_print                ?	3_4_0	EXIST::FUNCTION:
-d2i_ATTRIBUTES_SYNTAX                   ?	3_4_0	EXIST::FUNCTION:
-i2d_ATTRIBUTES_SYNTAX                   ?	3_4_0	EXIST::FUNCTION:
-ATTRIBUTES_SYNTAX_free                  ?	3_4_0	EXIST::FUNCTION:
-ATTRIBUTES_SYNTAX_new                   ?	3_4_0	EXIST::FUNCTION:
-ATTRIBUTES_SYNTAX_it                    ?	3_4_0	EXIST::FUNCTION:
 CRYPTO_atomic_add64                     ?	3_4_0	EXIST::FUNCTION:
 CRYPTO_atomic_and                       ?	3_4_0	EXIST::FUNCTION:
+d2i_OSSL_ATTRIBUTES_SYNTAX              ?	3_4_0	EXIST::FUNCTION:
+i2d_OSSL_ATTRIBUTES_SYNTAX              ?	3_4_0	EXIST::FUNCTION:
+OSSL_ATTRIBUTES_SYNTAX_free             ?	3_4_0	EXIST::FUNCTION:
+OSSL_ATTRIBUTES_SYNTAX_new              ?	3_4_0	EXIST::FUNCTION:
+OSSL_ATTRIBUTES_SYNTAX_it               ?	3_4_0	EXIST::FUNCTION:
+d2i_OSSL_USER_NOTICE_SYNTAX             ?	3_4_0	EXIST::FUNCTION:
+i2d_OSSL_USER_NOTICE_SYNTAX             ?	3_4_0	EXIST::FUNCTION:
+OSSL_USER_NOTICE_SYNTAX_free            ?	3_4_0	EXIST::FUNCTION:
+OSSL_USER_NOTICE_SYNTAX_new             ?	3_4_0	EXIST::FUNCTION:
+OSSL_USER_NOTICE_SYNTAX_it              ?	3_4_0	EXIST::FUNCTION: