feat: add delegatedNameConstraints and holderNameConstraints exts

Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24664)
2024-06-17 21:40:30 +00:00 · 2024-06-17 21:40:30 +00:00 · a7ed61ce8b
commit a7ed61ce8b
parent 2e9cd409c0
6 changed files with 72 additions and 2 deletions
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@ -32,3 +32,5 @@ extern const X509V3_EXT_METHOD ossl_v3_no_rev_avail;
 extern const X509V3_EXT_METHOD ossl_v3_single_use;
 extern const X509V3_EXT_METHOD ossl_v3_indirect_issuer;
 extern const X509V3_EXT_METHOD ossl_v3_targeting_information;
 extern const X509V3_EXT_METHOD ossl_v3_holder_name_constraints;
 extern const X509V3_EXT_METHOD ossl_v3_delegated_name_constraints;
--- a/crypto/x509/standard_exts.h
+++ b/crypto/x509/standard_exts.h
@ -74,11 +74,13 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
    &ossl_v3_issuer_sign_tool,
    &ossl_v3_tls_feature,
    &ossl_v3_ext_admission,
    &ossl_v3_delegated_name_constraints,
    &ossl_v3_soa_identifier,
    &ossl_v3_indirect_issuer,
    &ossl_v3_no_assertion,
    &ossl_v3_single_use,
-    &ossl_v3_group_ac
+    &ossl_v3_group_ac,
    &ossl_v3_holder_name_constraints,
 };
 /* Number of standard extensions */
--- a/crypto/x509/v3_ncons.c
+++ b/crypto/x509/v3_ncons.c
@ -53,6 +53,26 @@ const X509V3_EXT_METHOD ossl_v3_name_constraints = {
    NULL
 };
 const X509V3_EXT_METHOD ossl_v3_holder_name_constraints = {
    NID_holder_name_constraints, 0,
    ASN1_ITEM_ref(NAME_CONSTRAINTS),
    0, 0, 0, 0,
    0, 0,
    0, v2i_NAME_CONSTRAINTS,
    i2r_NAME_CONSTRAINTS, 0,
    NULL
 };
 const X509V3_EXT_METHOD ossl_v3_delegated_name_constraints = {
    NID_delegated_name_constraints, 0,
    ASN1_ITEM_ref(NAME_CONSTRAINTS),
    0, 0, 0, 0,
    0, 0,
    0, v2i_NAME_CONSTRAINTS,
    i2r_NAME_CONSTRAINTS, 0,
    NULL
 };
 ASN1_SEQUENCE(GENERAL_SUBTREE) = {
        ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
        ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),
--- a/test/certs/ext-delegatedNameConstraints.pem
+++ b/test/certs/ext-delegatedNameConstraints.pem
@ -0,0 +1,12 @@
 -----BEGIN CERTIFICATE-----
 MIIBsDCCAZygAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwODMxMDI0
 MTA0WhgPMjAyMTA4MzEwMjQxMDRaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB
 CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq
 nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir
 Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI
 qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06
 GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus
 pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABozcwNTAzBgNVHSoELDAqoCgwJqQe
 MBwxGjAYBgNVBAMMEVdpbGRib2FyIFNvZnR3YXJlgAEBgQEDMAsGCSqGSIb3DQEB
 BQMBAA==
 -----END CERTIFICATE-----
--- a/test/certs/ext-holderNameConstraints.pem
+++ b/test/certs/ext-holderNameConstraints.pem
@ -0,0 +1,12 @@
 -----BEGIN CERTIFICATE-----
 MIIBsDCCAZygAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwODMxMDI0
 MTA0WhgPMjAyMTA4MzEwMjQxMDRaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB
 CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq
 nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir
 Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI
 qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06
 GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus
 pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABozcwNTAzBgNVHUUELDAqoCgwJqQe
 MBwxGjAYBgNVBAMMEVdpbGRib2FyIFNvZnR3YXJlgAEBgQEDMAsGCSqGSIb3DQEB
 BQMBAA==
 -----END CERTIFICATE-----
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 setup("test_x509");
-plan tests => 60;
+plan tests => 66;
 # Prevent MSys2 filename munging for arguments that look like file paths but
 # aren't
@ -172,6 +172,28 @@ cert_contains($tgt_info_cert,
              "Digest Type: Public Key",
              1, 'X.509 Targeting Information Object Digest Type');
 my $hnc_cert = srctop_file(@certs, "ext-holderNameConstraints.pem");
 cert_contains($hnc_cert,
              "X509v3 Holder Name Constraints",
              1, 'X.509 Holder Name Constraints');
 cert_contains($hnc_cert,
              "Permitted:",
              1, 'X.509 Holder Name Constraints Permitted');
 cert_contains($hnc_cert,
              "DirName:CN = Wildboar",
              1, 'X.509 Holder Name Constraint');
 my $dnc_cert = srctop_file(@certs, "ext-delegatedNameConstraints.pem");
 cert_contains($dnc_cert,
              "X509v3 Delegated Name Constraints",
              1, 'X.509 Delegated Name Constraints');
 cert_contains($dnc_cert,
              "Permitted:",
              1, 'X.509 Delegated Name Constraints Permitted');
 cert_contains($dnc_cert,
              "DirName:CN = Wildboar",
              1, 'X.509 Delegated Name Constraint');
 sub test_errors { # actually tests diagnostics of OSSL_STORE
    my ($expected, $cert, @opts) = @_;
    my $infile = srctop_file(@certs, $cert);