x509_acert: Add, remove and get attribute certificate attributes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15857)

crypto/x509/x509_acert.c

@@ -183,3 +183,62 @@ const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notAfter(const X509_ACERT *x)
 {
     return x->acinfo->validityPeriod.notAfter;
 }
+
+/* Attribute management functions */
+
+int X509_ACERT_get_attr_count(const X509_ACERT *x)
+{
+    return X509at_get_attr_count(x->acinfo->attributes);
+}
+
+int X509_ACERT_get_attr_by_NID(const X509_ACERT *x, int nid, int lastpos)
+{
+    return X509at_get_attr_by_NID(x->acinfo->attributes, nid, lastpos);
+}
+
+int X509_ACERT_get_attr_by_OBJ(const X509_ACERT *x, const ASN1_OBJECT *obj,
+                               int lastpos)
+{
+    return X509at_get_attr_by_OBJ(x->acinfo->attributes, obj, lastpos);
+}
+
+X509_ATTRIBUTE *X509_ACERT_get_attr(const X509_ACERT *x, int loc)
+{
+    return X509at_get_attr(x->acinfo->attributes, loc);
+}
+
+X509_ATTRIBUTE *X509_ACERT_delete_attr(X509_ACERT *x, int loc)
+{
+    return X509at_delete_attr(x->acinfo->attributes, loc);
+}
+
+int X509_ACERT_add1_attr(X509_ACERT *x, X509_ATTRIBUTE *attr)
+{
+    STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
+
+    return X509at_add1_attr(attrs, attr) != NULL;
+}
+
+int X509_ACERT_add1_attr_by_OBJ(X509_ACERT *x, const ASN1_OBJECT *obj,
+                                int type, const void *bytes, int len)
+{
+    STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
+
+    return X509at_add1_attr_by_OBJ(attrs, obj, type, bytes, len) != NULL;
+}
+
+int X509_ACERT_add1_attr_by_NID(X509_ACERT *x, int nid, int type,
+                                const void *bytes, int len)
+{
+    STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
+
+    return X509at_add1_attr_by_NID(attrs, nid, type, bytes, len) != NULL;
+}
+
+int X509_ACERT_add1_attr_by_txt(X509_ACERT *x, const char *attrname, int type,
+                                const unsigned char *bytes, int len)
+{
+    STACK_OF(X509_ATTRIBUTE) **attrs = &x->acinfo->attributes;
+
+    return X509at_add1_attr_by_txt(attrs, attrname, type, bytes, len) != NULL;
+}

doc/build.info

@@ -2799,10 +2799,18 @@ DEPEND[html/man3/X509V3_set_ctx.html]=man3/X509V3_set_ctx.pod
 GENERATE[html/man3/X509V3_set_ctx.html]=man3/X509V3_set_ctx.pod
 DEPEND[man/man3/X509V3_set_ctx.3]=man3/X509V3_set_ctx.pod
 GENERATE[man/man3/X509V3_set_ctx.3]=man3/X509V3_set_ctx.pod
+DEPEND[html/man3/X509_ACERT_add1_attr.html]=man3/X509_ACERT_add1_attr.pod
+GENERATE[html/man3/X509_ACERT_add1_attr.html]=man3/X509_ACERT_add1_attr.pod
+DEPEND[man/man3/X509_ACERT_add1_attr.3]=man3/X509_ACERT_add1_attr.pod
+GENERATE[man/man3/X509_ACERT_add1_attr.3]=man3/X509_ACERT_add1_attr.pod
 DEPEND[html/man3/X509_ACERT_get0_holder_baseCertId.html]=man3/X509_ACERT_get0_holder_baseCertId.pod
 GENERATE[html/man3/X509_ACERT_get0_holder_baseCertId.html]=man3/X509_ACERT_get0_holder_baseCertId.pod
 DEPEND[man/man3/X509_ACERT_get0_holder_baseCertId.3]=man3/X509_ACERT_get0_holder_baseCertId.pod
 GENERATE[man/man3/X509_ACERT_get0_holder_baseCertId.3]=man3/X509_ACERT_get0_holder_baseCertId.pod
+DEPEND[html/man3/X509_ACERT_get_attr.html]=man3/X509_ACERT_get_attr.pod
+GENERATE[html/man3/X509_ACERT_get_attr.html]=man3/X509_ACERT_get_attr.pod
+DEPEND[man/man3/X509_ACERT_get_attr.3]=man3/X509_ACERT_get_attr.pod
+GENERATE[man/man3/X509_ACERT_get_attr.3]=man3/X509_ACERT_get_attr.pod
 DEPEND[html/man3/X509_ACERT_print_ex.html]=man3/X509_ACERT_print_ex.pod
 GENERATE[html/man3/X509_ACERT_print_ex.html]=man3/X509_ACERT_print_ex.pod
 DEPEND[man/man3/X509_ACERT_print_ex.3]=man3/X509_ACERT_print_ex.pod
@@ -3639,7 +3647,9 @@ html/man3/UI_create_method.html \
 html/man3/UI_new.html \
 html/man3/X509V3_get_d2i.html \
 html/man3/X509V3_set_ctx.html \
+html/man3/X509_ACERT_add1_attr.html \
 html/man3/X509_ACERT_get0_holder_baseCertId.html \
+html/man3/X509_ACERT_get_attr.html \
 html/man3/X509_ACERT_print_ex.html \
 html/man3/X509_ALGOR_dup.html \
 html/man3/X509_ATTRIBUTE.html \
@@ -4286,7 +4296,9 @@ man/man3/UI_create_method.3 \
 man/man3/UI_new.3 \
 man/man3/X509V3_get_d2i.3 \
 man/man3/X509V3_set_ctx.3 \
+man/man3/X509_ACERT_add1_attr.3 \
 man/man3/X509_ACERT_get0_holder_baseCertId.3 \
+man/man3/X509_ACERT_get_attr.3 \
 man/man3/X509_ACERT_print_ex.3 \
 man/man3/X509_ALGOR_dup.3 \
 man/man3/X509_ATTRIBUTE.3 \

doc/man3/X509_ACERT_add1_attr.pod

@@ -0,0 +1,67 @@
+=pod
+
+=head1 NAME
+
+X509_ACERT_add1_attr,
+X509_ACERT_add1_attr_by_NID,
+X509_ACERT_add1_attr_by_OBJ,
+X509_ACERT_add1_attr_by_txt,
+X509_ACERT_delete_attr
+- X509_ACERT attribute functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509_acert.h>
+
+ int X509_ACERT_add1_attr(X509_ACERT *x, X509_ATTRIBUTE *attr);
+ int X509_ACERT_add1_attr_by_NID(X509_ACERT *x, int nid, int type,
+                                 const void *bytes, int len);
+ int X509_ACERT_add1_attr_by_OBJ(X509_ACERT *x, const ASN1_OBJECT *obj,
+                                 int type, const void *bytes, int len);
+ int X509_ACERT_add1_attr_by_txt(X509_ACERT *x, const char *attrname, int type,
+                                 const unsigned char *bytes, int len);
+ X509_ATTRIBUTE *X509_ACERT_delete_attr(X509_ACERT *x, int loc);
+
+=head1 DESCRIPTION
+
+X509_ACERT_add1_attr() adds a constructed X509_ATTRIBUTE B<attr> to the
+existing X509_ACERT structure B<x>.
+
+X509_ACERT_add1_attr_by_NID() and X509_ACERT_add1_attr_by_OBJ()
+add an attribute of type I<nid> or I<obj> with a value of ASN1
+type I<type> constructed using I<len> bytes from I<bytes>.
+
+X509_ACERT_add1_attr_by_txt() adds an attribute of type I<attrname> with a value of
+ASN1 type I<type> constructed using I<len> bytes from I<bytes>.
+
+X509_ACERT_delete_attr() will delete the I<loc>th attribute from I<x> and
+return a pointer to it or NULL if there are fewer than I<loc> attributes
+contained in I<x>.
+
+=head1 RETURN VALUES
+
+X509_ACERT_add1_attr(), X509_ACERT_add1_attr_by_NID(), and
+X509_ACERT_add1_attr_by_OBJ() return 1 for success and 0 for failure.
+
+X509_ACERT_delete_attr() returns a B<X509_ATTRIBUTE> pointer on
+success or NULL on failure.
+
+=head1 SEE ALSO
+
+L<X509_ACERT_get_attr_count(3)>
+
+=head1 HISTORY
+
+X509_ACERT_add1_attr(), X509_ACERT_add1_attr_by_NID(), X509_ACERT_add1_attr_by_OBJ(),
+X509_ACERT_add1_attr_by_txt() and X509_ACERT_delete_attr() were added in OpenSSL 3.4.
+
+=head1 COPYRIGHT
+
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man3/X509_ACERT_get_attr.pod

@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+X509_ACERT_get_attr,
+X509_ACERT_get_attr_by_NID,
+X509_ACERT_get_attr_by_OBJ,
+X509_ACERT_get_attr_count
+- Retrieve attributes from an X509_ACERT structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509_acert.h>
+
+ X509_ATTRIBUTE *X509_ACERT_get_attr(const X509_ACERT *x, int loc);
+ int X509_ACERT_get_attr_by_NID(const X509_ACERT *x, int nid, int lastpos);
+ int X509_ACERT_get_attr_by_OBJ(const X509_ACERT *x, const ASN1_OBJECT *obj,
+                                int lastpos);
+ int X509_ACERT_get_attr_count(const X509_ACERT *x);
+
+=head1 DESCRIPTION
+
+X509_ACERT_get0_attr() retrieves the I<loc>th B<X509_ATTRIBUTE> from an
+B<X509_ACERT> I<x>.  X509_ACERT_get_attr_count() returns the total number
+of attributes in the B<X509_ACERT>.
+
+X509_ACERT_get_attr_by_NID() and X509_ACERT_get_attr_by_OBJ() retrieve the next
+attribute location matching I<nid> or I<obj> after I<lastpos>. I<lastpos>
+should initially be set to -1.
+If there are no more entries -1 is returned. If I<nid> is invalid
+(doesn't correspond to a valid OID) then -2 is returned.
+
+=head1 RETURN VALUES
+
+X509_ACERT_get0_attr() return a B<X509_ATTRIBUTE> from an attribute
+certificate, or NULL if the specified attribute is not found.
+
+X509_ACERT_get_attr_by_NID() and X509_ACERT_get_attr_by_OBJ() return
+the location of the next attribute requested or -1 if not found.
+X509_ACERT_get_attr_by_NID() can also return -2 if the supplied NID is invalid.
+
+X509_ACERT_get_attr_count() returns the number of attributes in the given
+attribute certificate.
+
+=head1 HISTORY
+
+X509_ACERT_get0_attr(), X509_ACERT_get_attr_by_NID(), X509_ACERT_get_attr_by_OBJ() and
+X509_ACERT_get_attr_count() were added in OpenSSL 3.4.
+
+=head1 COPYRIGHT
+
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

include/openssl/x509_acert.h.in

@@ -66,6 +66,13 @@ int X509_ACERT_print(BIO *bp, X509_ACERT *x);
 int X509_ACERT_print_ex(BIO *bp, X509_ACERT *x, unsigned long nmflags,
                         unsigned long cflag);
 
+int X509_ACERT_get_attr_count(const X509_ACERT *x);
+int X509_ACERT_get_attr_by_NID(const X509_ACERT *x, int nid, int lastpos);
+int X509_ACERT_get_attr_by_OBJ(const X509_ACERT *x, const ASN1_OBJECT *obj,
+                               int lastpos);
+X509_ATTRIBUTE *X509_ACERT_get_attr(const X509_ACERT *x, int loc);
+X509_ATTRIBUTE *X509_ACERT_delete_attr(X509_ACERT *x, int loc);
+
 # define OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY        0
 # define OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY_CERT   1
 # define OSSL_OBJECT_DIGEST_INFO_OTHER             2  /* must not be used in RFC 5755 profile */
@@ -75,6 +82,14 @@ void X509_ACERT_set0_holder_baseCertId(X509_ACERT *x, OSSL_ISSUER_SERIAL *isss);
 void X509_ACERT_set0_holder_digest(X509_ACERT *x,
                                    OSSL_OBJECT_DIGEST_INFO *dinfo);
 
+int X509_ACERT_add1_attr(X509_ACERT *x, X509_ATTRIBUTE *attr);
+int X509_ACERT_add1_attr_by_OBJ(X509_ACERT *x, const ASN1_OBJECT *obj,
+                                int type, const void *bytes, int len);
+int X509_ACERT_add1_attr_by_NID(X509_ACERT *x, int nid, int type,
+                                const void *bytes, int len);
+int X509_ACERT_add1_attr_by_txt(X509_ACERT *x, const char *attrname, int type,
+                                const unsigned char *bytes, int len);
+
 int X509_ACERT_set1_issuerName(X509_ACERT *x, const X509_NAME *name);
 int X509_ACERT_set1_serialNumber(X509_ACERT *x, const ASN1_INTEGER *serial);
 int X509_ACERT_set1_notBefore(X509_ACERT *x, const ASN1_GENERALIZEDTIME *time);

util/libcrypto.num

@@ -5603,3 +5603,12 @@ OSSL_ISSUER_SERIAL_set1_serial          ?	3_4_0	EXIST::FUNCTION:
 OSSL_ISSUER_SERIAL_set1_issuerUID       ?	3_4_0	EXIST::FUNCTION:
 X509_ACERT_print                        ?	3_4_0	EXIST::FUNCTION:
 X509_ACERT_print_ex                     ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_get_attr_count               ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_get_attr_by_NID              ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_get_attr_by_OBJ              ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_get_attr                     ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_delete_attr                  ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_add1_attr                    ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_add1_attr_by_OBJ             ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_add1_attr_by_NID             ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_add1_attr_by_txt             ?	3_4_0	EXIST::FUNCTION: