zzy/openssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: support the allowedAttributeAssignments X.509v3 extension

Browse Source 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26163)
This commit is contained in:
Jonathan M. Wilbur 2024-12-12 14:29:50 +00:00 committed by Tomas Mraz
parent 0f6caf7409
commit 9598bc15e9
6 changed files with 177 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/x509/build.info
View File

@ -18,7 +18,7 @@ SOURCE[../../libcrypto]=\
v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \
v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c \
v3_rolespec.c v3_attrdesc.c v3_timespec.c v3_attrmap.c
v3_rolespec.c v3_attrdesc.c v3_timespec.c v3_attrmap.c v3_aaa.c
IF[{- !$disabled{'deprecated-3.0'} -}]
SOURCE[../../libcrypto]=x509type.c

1
crypto/x509/ext_dat.h
View File

@ -47,3 +47,4 @@ extern const X509V3_EXT_METHOD ossl_v3_role_spec_cert_identifier;
extern const X509V3_EXT_METHOD ossl_v3_attribute_descriptor;
extern const X509V3_EXT_METHOD ossl_v3_time_specification;
extern const X509V3_EXT_METHOD ossl_v3_attribute_mappings;
extern const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments;

1
crypto/x509/standard_exts.h
View File

@ -91,6 +91,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
&ossl_v3_issued_on_behalf_of,
&ossl_v3_single_use,
&ossl_v3_group_ac,
&ossl_v3_allowed_attribute_assignments,
&ossl_v3_attribute_mappings,
&ossl_v3_holder_name_constraints,
&ossl_v3_associated_info,

129
crypto/x509/v3_aaa.c Normal file
View File

@ -0,0 +1,129 @@
/*
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
#include <openssl/x509.h>
#include <crypto/x509.h>
#include "ext_dat.h"
ASN1_CHOICE(OSSL_ALLOWED_ATTRIBUTES_CHOICE) = {
ASN1_IMP(OSSL_ALLOWED_ATTRIBUTES_CHOICE, choice.attributeType, ASN1_OBJECT,
OSSL_AAA_ATTRIBUTE_TYPE),
ASN1_IMP(OSSL_ALLOWED_ATTRIBUTES_CHOICE, choice.attributeTypeandValues,
X509_ATTRIBUTE, OSSL_AAA_ATTRIBUTE_VALUES),
} ASN1_CHOICE_END(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
ASN1_SEQUENCE(OSSL_ALLOWED_ATTRIBUTES_ITEM) = {
ASN1_IMP_SET_OF(OSSL_ALLOWED_ATTRIBUTES_ITEM, attributes,
OSSL_ALLOWED_ATTRIBUTES_CHOICE, 0),
/* This MUST be EXPLICIT, because it contains a CHOICE. */
ASN1_EXP(OSSL_ALLOWED_ATTRIBUTES_ITEM, holderDomain, GENERAL_NAME, 1),
} ASN1_SEQUENCE_END(OSSL_ALLOWED_ATTRIBUTES_ITEM)
ASN1_ITEM_TEMPLATE(OSSL_ALLOWED_ATTRIBUTES_SYNTAX) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, OSSL_ALLOWED_ATTRIBUTES_SYNTAX,
OSSL_ALLOWED_ATTRIBUTES_ITEM)
ASN1_ITEM_TEMPLATE_END(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_ITEM)
IMPLEMENT_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
static int i2r_ALLOWED_ATTRIBUTES_CHOICE(X509V3_EXT_METHOD *method,
OSSL_ALLOWED_ATTRIBUTES_CHOICE *a,
BIO *out, int indent)
{
ASN1_OBJECT *attr_obj;
int attr_nid, j;
X509_ATTRIBUTE *attr;
ASN1_TYPE *av;
switch (a->type) {
case (OSSL_AAA_ATTRIBUTE_TYPE):
if (BIO_printf(out, "%*sAttribute Type: ", indent, "") <= 0)
return 0;
if (i2a_ASN1_OBJECT(out, a->choice.attributeType) <= 0)
return 0;
return BIO_puts(out, "\n") > 0;
case (OSSL_AAA_ATTRIBUTE_VALUES):
attr = a->choice.attributeTypeandValues;
attr_obj = X509_ATTRIBUTE_get0_object(attr);
attr_nid = OBJ_obj2nid(attr_obj);
if (BIO_printf(out, "%*sAttribute Values: ", indent, "") <= 0)
return 0;
if (i2a_ASN1_OBJECT(out, attr_obj) <= 0)
return 0;
if (BIO_puts(out, "\n") <= 0)
return 0;
for (j = 0; j < X509_ATTRIBUTE_count(attr); j++) {
av = X509_ATTRIBUTE_get0_type(attr, j);
if (ossl_print_attribute_value(out, attr_nid, av, indent + 4) <= 0)
return 0;
if (BIO_puts(out, "\n") <= 0)
return 0;
}
break;
default:
return 0;
}
return 1;
}
static int i2r_ALLOWED_ATTRIBUTES_ITEM(X509V3_EXT_METHOD *method,
OSSL_ALLOWED_ATTRIBUTES_ITEM *aai,
BIO *out, int indent)
{
int i;
OSSL_ALLOWED_ATTRIBUTES_CHOICE *a;
for (i = 0; i < sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_num(aai->attributes); i++) {
if (BIO_printf(out, "%*sAllowed Attribute Type or Values:\n", indent, "") <= 0)
return 0;
a = sk_OSSL_ALLOWED_ATTRIBUTES_CHOICE_value(aai->attributes, i);
if (i2r_ALLOWED_ATTRIBUTES_CHOICE(method, a, out, indent + 4) <= 0)
return 0;
}
if (BIO_printf(out, "%*sHolder Domain: ", indent, "") <= 0)
return 0;
if (GENERAL_NAME_print(out, aai->holderDomain) <= 0)
return 0;
if (BIO_puts(out, "\n") <= 0)
return 0;
return 1;
}
static int i2r_ALLOWED_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
OSSL_ALLOWED_ATTRIBUTES_SYNTAX *aaa,
BIO *out, int indent)
{
int i;
OSSL_ALLOWED_ATTRIBUTES_ITEM *aai;
for (i = 0; i < sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_num(aaa); i++) {
if (BIO_printf(out, "%*sAllowed Attributes:\n", indent, "") <= 0)
return 0;
aai = sk_OSSL_ALLOWED_ATTRIBUTES_ITEM_value(aaa, i);
if (i2r_ALLOWED_ATTRIBUTES_ITEM(method, aai, out, indent + 4) <= 0)
return 0;
}
return 1;
}
const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments = {
NID_allowed_attribute_assignments, 0,
ASN1_ITEM_ref(OSSL_ALLOWED_ATTRIBUTES_SYNTAX),
0, 0, 0, 0,
0, 0,
0,
0,
(X509V3_EXT_I2R)i2r_ALLOWED_ATTRIBUTES_SYNTAX,
0,
NULL
};

30
include/openssl/x509v3.h.in
View File

@ -1316,6 +1316,36 @@ DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTE_MAPPINGS)
generate_stack_macros("OSSL_ATTRIBUTE_MAPPING");
-}
# define OSSL_AAA_ATTRIBUTE_TYPE 0
# define OSSL_AAA_ATTRIBUTE_VALUES 1
typedef struct ALLOWED_ATTRIBUTES_CHOICE_st {
int type;
union {
ASN1_OBJECT *attributeType;
X509_ATTRIBUTE *attributeTypeandValues;
} choice;
} OSSL_ALLOWED_ATTRIBUTES_CHOICE;
typedef struct ALLOWED_ATTRIBUTES_ITEM_st {
STACK_OF(OSSL_ALLOWED_ATTRIBUTES_CHOICE) *attributes;
GENERAL_NAME *holderDomain;
} OSSL_ALLOWED_ATTRIBUTES_ITEM;
typedef STACK_OF(OSSL_ALLOWED_ATTRIBUTES_ITEM) OSSL_ALLOWED_ATTRIBUTES_SYNTAX;
DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_CHOICE)
DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_ITEM)
DECLARE_ASN1_FUNCTIONS(OSSL_ALLOWED_ATTRIBUTES_SYNTAX)
{-
generate_stack_macros("OSSL_ALLOWED_ATTRIBUTES_CHOICE");
-}
{-
generate_stack_macros("OSSL_ALLOWED_ATTRIBUTES_ITEM");
-}
# ifdef __cplusplus
}
# endif

15
util/libcrypto.num
View File

@ -5861,3 +5861,18 @@ i2d_OSSL_ATAV ? 3_5_0 EXIST::FUNCTION:
OSSL_ATAV_free ? 3_5_0 EXIST::FUNCTION:
OSSL_ATAV_new ? 3_5_0 EXIST::FUNCTION:
OSSL_ATAV_it ? 3_5_0 EXIST::FUNCTION:
d2i_OSSL_ALLOWED_ATTRIBUTES_CHOICE ? 3_5_0 EXIST::FUNCTION:
i2d_OSSL_ALLOWED_ATTRIBUTES_CHOICE ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_CHOICE_free ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_CHOICE_new ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_CHOICE_it ? 3_5_0 EXIST::FUNCTION:
d2i_OSSL_ALLOWED_ATTRIBUTES_ITEM ? 3_5_0 EXIST::FUNCTION:
i2d_OSSL_ALLOWED_ATTRIBUTES_ITEM ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_ITEM_free ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_ITEM_new ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_ITEM_it ? 3_5_0 EXIST::FUNCTION:
d2i_OSSL_ALLOWED_ATTRIBUTES_SYNTAX ? 3_5_0 EXIST::FUNCTION:
i2d_OSSL_ALLOWED_ATTRIBUTES_SYNTAX ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_SYNTAX_free ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_SYNTAX_new ? 3_5_0 EXIST::FUNCTION:
OSSL_ALLOWED_ATTRIBUTES_SYNTAX_it ? 3_5_0 EXIST::FUNCTION: