mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-19 19:50:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Issuer Sign Tool extention support

Browse Source 
Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11216)
This commit is contained in:
Nikolay Morozov 2020-03-02 10:17:30 +03:00 committed by Dmitry Belyavskiy
parent 129c22840e
commit 71f852802f
14 changed files with 420 additions and 2 deletions

3
crypto/asn1/asn1_item_list.h

@ -1,5 +1,5 @@
/*
* Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -145,6 +145,7 @@ static ASN1_ITEM_EXP *asn1_item_list[] = {
#endif
ASN1_ITEM_ref(SXNETID),
ASN1_ITEM_ref(SXNET),
ASN1_ITEM_ref(ISSUER_SIGN_TOOL),
ASN1_ITEM_ref(USERNOTICE),
ASN1_ITEM_ref(X509_ALGORS),
ASN1_ITEM_ref(X509_ALGOR),

2
crypto/err/openssl.txt

@ -1770,6 +1770,7 @@ X509V3_F_DO_DIRNAME:144:do_dirname
X509V3_F_DO_EXT_I2D:135:do_ext_i2d
X509V3_F_DO_EXT_NCONF:151:do_ext_nconf
X509V3_F_GNAMES_FROM_SECTNAME:156:gnames_from_sectname
X509V3_F_I2R_ISSUER_SIGN_TOOL:176:
X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED
X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING
X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER
@ -1809,6 +1810,7 @@ X509V3_F_V2I_GENERAL_NAME_EX:117:v2i_GENERAL_NAME_ex
X509V3_F_V2I_IDP:157:v2i_idp
X509V3_F_V2I_IPADDRBLOCKS:159:v2i_IPAddrBlocks
X509V3_F_V2I_ISSUER_ALT:153:v2i_issuer_alt
X509V3_F_V2I_ISSUER_SIGN_TOOL:175:
X509V3_F_V2I_NAME_CONSTRAINTS:147:v2i_NAME_CONSTRAINTS
X509V3_F_V2I_POLICY_CONSTRAINTS:146:v2i_POLICY_CONSTRAINTS
X509V3_F_V2I_POLICY_MAPPINGS:145:v2i_POLICY_MAPPINGS

2
crypto/x509/build.info

@ -12,6 +12,6 @@ SOURCE[../../libcrypto]=\
v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c \
v3_info.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c \
v3_pcia.c v3_pci.c \
v3_pcia.c v3_pci.c v3_ist.c \
pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c

1
crypto/x509/ext_dat.h

@ -24,3 +24,4 @@ extern const X509V3_EXT_METHOD v3_ct_scts[3];
extern const X509V3_EXT_METHOD v3_tls_feature;
extern const X509V3_EXT_METHOD v3_ext_admission;
extern const X509V3_EXT_METHOD v3_utf8_list[1];
extern const X509V3_EXT_METHOD v3_issuer_sign_tool;

1
crypto/x509/standard_exts.h

@ -69,6 +69,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
&v3_ct_scts[2],
#endif
&v3_utf8_list[0],
&v3_issuer_sign_tool,
&v3_tls_feature,
&v3_ext_admission
};

149
crypto/x509/v3_ist.c Normal file

@ -0,0 +1,149 @@
/*
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
/*
* Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
* This extention is required to obtain the status of a qualified certificate at Russian Federation.
* RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
* Russian Federal Law 63 "Digital Sign" is available here: http://www.consultant.ru/document/cons_doc_LAW_112701/
*/
ASN1_SEQUENCE(ISSUER_SIGN_TOOL) = {
ASN1_SIMPLE(ISSUER_SIGN_TOOL, signTool, ASN1_UTF8STRING),
ASN1_SIMPLE(ISSUER_SIGN_TOOL, cATool, ASN1_UTF8STRING),
ASN1_SIMPLE(ISSUER_SIGN_TOOL, signToolCert, ASN1_UTF8STRING),
ASN1_SIMPLE(ISSUER_SIGN_TOOL, cAToolCert, ASN1_UTF8STRING)
} ASN1_SEQUENCE_END(ISSUER_SIGN_TOOL)
IMPLEMENT_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
STACK_OF(CONF_VALUE) *nval)
{
ISSUER_SIGN_TOOL *ist = ISSUER_SIGN_TOOL_new();
int i;
if (ist == NULL) {
X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
return NULL;
}
for (i = 0; i < sk_CONF_VALUE_num(nval); ++i) {
CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
if (cnf == NULL) {
continue;
}
if (strcmp(cnf->name, "signTool") == 0) {
ist->signTool = ASN1_UTF8STRING_new();
if (ist->signTool == NULL) {
X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
ISSUER_SIGN_TOOL_free(ist);
return NULL;
}
ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value));
} else if (strcmp(cnf->name, "cATool") == 0) {
ist->cATool = ASN1_UTF8STRING_new();
if (ist->cATool == NULL) {
X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
ISSUER_SIGN_TOOL_free(ist);
return NULL;
}
ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value));
} else if (strcmp(cnf->name, "signToolCert") == 0) {
ist->signToolCert = ASN1_UTF8STRING_new();
if (ist->signToolCert == NULL) {
X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
ISSUER_SIGN_TOOL_free(ist);
return NULL;
}
ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value));
} else if (strcmp(cnf->name, "cAToolCert") == 0) {
ist->cAToolCert = ASN1_UTF8STRING_new();
if (ist->cAToolCert == NULL) {
X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
ISSUER_SIGN_TOOL_free(ist);
return NULL;
}
ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value));
} else {
X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_PASSED_INVALID_ARGUMENT);
ISSUER_SIGN_TOOL_free(ist);
return NULL;
}
}
return ist;
}
static int i2r_issuer_sign_tool(X509V3_EXT_METHOD *method,
ISSUER_SIGN_TOOL *ist, BIO *out,
int indent)
{
int new_line = 0;
if (ist == NULL) {
X509V3err(X509V3_F_I2R_ISSUER_SIGN_TOOL, ERR_R_PASSED_INVALID_ARGUMENT);
return 0;
}
if (ist->signTool != NULL) {
if (new_line == 1) {
BIO_write(out, "\n", 1);
}
BIO_printf(out, "%*ssignTool : ", indent, "");
BIO_write(out, ist->signTool->data, ist->signTool->length);
new_line = 1;
}
if (ist->cATool != NULL) {
if (new_line == 1) {
BIO_write(out, "\n", 1);
}
BIO_printf(out, "%*scATool : ", indent, "");
BIO_write(out, ist->cATool->data, ist->cATool->length);
new_line = 1;
}
if (ist->signToolCert != NULL) {
if (new_line == 1) {
BIO_write(out, "\n", 1);
}
BIO_printf(out, "%*ssignToolCert: ", indent, "");
BIO_write(out, ist->signToolCert->data, ist->signToolCert->length);
new_line = 1;
}
if (ist->cAToolCert != NULL) {
if (new_line == 1) {
BIO_write(out, "\n", 1);
}
BIO_printf(out, "%*scAToolCert : ", indent, "");
BIO_write(out, ist->cAToolCert->data, ist->cAToolCert->length);
new_line = 1;
}
return 1;
}
const X509V3_EXT_METHOD v3_issuer_sign_tool = {
NID_issuerSignTool, /* nid */
X509V3_EXT_MULTILINE, /* flags */
ASN1_ITEM_ref(ISSUER_SIGN_TOOL), /* template */
0, 0, 0, 0, /* old functions, ignored */
0, /* i2s */
0, /* s2i */
0, /* i2v */
(X509V3_EXT_V2I)v2i_issuer_sign_tool, /* v2i */
(X509V3_EXT_I2R)i2r_issuer_sign_tool, /* i2r */
0, /* r2i */
NULL /* extension-specific data */
};

51
doc/man3/ISSUER_SIGN_TOOL_new.pod Normal file

@ -0,0 +1,51 @@
=pod
=head1 NAME
ISSUER_SIGN_TOOL_new, ISSUER_SIGN_TOOL_free,ISSUER_SIGN_TOOL_it,
d2i_ISSUER_SIGN_TOOL, i2d_ISSUER_SIGN_TOOL
=head1 SYNOPSIS
=for openssl generic
#include <openssl/x509v3.h>
extern const ISSUER_SIGN_TOOL_it;
ISSUER_SIGN_TOOL *ISSUER_SIGN_TOOL_new(void);
void ISSUER_SIGN_TOOL_free(ISSUER_SIGN_TOOL *v);
ISSUER_SIGN_TOOL *d2i_ISSUER_SIGN_TOOL(ISSUER_SIGN_TOOL **a, const unsigned char **pp, long length);
int i2d_ISSUER_SIGN_TOOL(const ISSUER_SIGN_TOOL *a, unsigned char **pp);
=head1 DESCRIPTION
The ISSUER_SIGN_TOOL_new() function returns a new ISSUER_SIGN_TOOL.
ISSUER_SIGN_TOOL_free() frees up a single ISSUER_SIGN_TOOL object.
=head1 RETURN VALUES
ISSUER_SIGN_TOOL_new() returns a newly created ISSUER_SIGN_TOOL or NULL if the call fails.
ISSUER_SIGN_TOOL_free() does not return values.
d2i_ISSUER_SIGN_TOOL() and i2d_ISSUER_SIGN_TOOL() decode and encode an B<ISSUER_SIGN_TOOL>
structure. They otherwise follow the conventions of other ASN.1 functions such as d2i_X509().
=head1 HISTORY
The ISSUER_SIGN_TOOL_up_ref(), ISSUER_SIGN_TOOL_lock() and ISSUER_SIGN_TOOL_unlock()
functions were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

9
include/openssl/x509v3.h

@ -230,6 +230,13 @@ typedef struct SXNET_st {
STACK_OF(SXNETID) *ids;
} SXNET;
typedef struct ISSUER_SIGN_TOOL_st {
ASN1_UTF8STRING *signTool;
ASN1_UTF8STRING *cATool;
ASN1_UTF8STRING *signToolCert;
ASN1_UTF8STRING *cAToolCert;
} ISSUER_SIGN_TOOL;
typedef struct NOTICEREF_st {
ASN1_STRING *organization;
STACK_OF(ASN1_INTEGER) *noticenos;
@ -458,6 +465,8 @@ DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
DECLARE_ASN1_FUNCTIONS(SXNET)
DECLARE_ASN1_FUNCTIONS(SXNETID)
DECLARE_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen);
int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
int userlen);

2
include/openssl/x509v3err.h

@ -41,6 +41,7 @@ int ERR_load_X509V3_strings(void);
# define X509V3_F_DO_EXT_I2D 0
# define X509V3_F_DO_EXT_NCONF 0
# define X509V3_F_GNAMES_FROM_SECTNAME 0
# define X509V3_F_I2R_ISSUER_SIGN_TOOL 0
# define X509V3_F_I2S_ASN1_ENUMERATED 0
# define X509V3_F_I2S_ASN1_IA5STRING 0
# define X509V3_F_I2S_ASN1_INTEGER 0
@ -80,6 +81,7 @@ int ERR_load_X509V3_strings(void);
# define X509V3_F_V2I_IDP 0
# define X509V3_F_V2I_IPADDRBLOCKS 0
# define X509V3_F_V2I_ISSUER_ALT 0
# define X509V3_F_V2I_ISSUER_SIGN_TOOL 0
# define X509V3_F_V2I_NAME_CONSTRAINTS 0
# define X509V3_F_V2I_POLICY_CONSTRAINTS 0
# define X509V3_F_V2I_POLICY_MAPPINGS 0

30
test/certs/grfc.pem Normal file

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw
FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4
MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ
tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1
MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG
A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi
MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz
ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3
OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx
0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq
hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI
DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa
BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj
0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA
BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W
eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/
0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB
KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu
NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa
0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR
gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv
MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR
gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw
MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE
HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f
Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j
KW64bgG0AywHjyc3
-----END CERTIFICATE-----

33
test/recipes/25-test_rusext.t Normal file

@ -0,0 +1,33 @@
#! /usr/bin/env perl
# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test::Utils;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_rusext");
plan tests => 5;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
my $pem = srctop_file("test/certs", "grfc.pem");
my $out_msb = "grfc.msb";
my $out_utf8 = "grfc.utf8";
ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_msb,
"-nameopt", "esc_msb", "-certopt", "no_pubkey"])));
is(cmp_text($out_msb, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.msb')),
0, 'Comparing esc_msb output');
ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8,
"-nameopt", "utf8", "-certopt", "no_pubkey"])));
is(cmp_text($out_utf8, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.utf8')),
0, 'Comparing utf8 output');

67
test/recipes/25-test_rusext_data/grfc.msb Normal file

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:8c:40:93:bb:e6:93:bd:43:0b:f5:18:26:03:1d:05
Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
Issuer: OGRN=1027739334479, INN=007706228218, street=\U0414\U0435\U0440\U0431\U0435\U043D\U0435\U0432\U0441\U043A\U0430\U044F \U043D\U0430\U0431. \U0434. 7 \U0441\U0442\U0440. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 \U0433. \U041C\U043E\U0441\U043A\U0432\U0430, L=\U041C\U043E\U0441\U043A\U0432\U0430, O=\U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426", CN=\U0423\U0426 \U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426"
Validity
Not Before: Mar 12 07:38:26 2013 GMT
Not After : Mar 12 07:46:00 2028 GMT
Subject: OGRN=1027739334479, INN=007706228218, street=\U0414\U0435\U0440\U0431\U0435\U043D\U0435\U0432\U0441\U043A\U0430\U044F \U043D\U0430\U0431. \U0434. 7 \U0441\U0442\U0440. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 \U0433. \U041C\U043E\U0441\U043A\U0432\U0430, L=\U041C\U043E\U0441\U043A\U0432\U0430, O=\U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426", CN=\U0423\U0426 \U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426"
X509v3 extensions:
Signing Tool of Subject:
"КриптоПро CSP" (версия 3.6)
Signing Tool of Issuer:
signTool : "КриптоПро CSP" (версия 3.6)
cATool : "Удостоверяющий центр "КриптоПро УЦ" версии 1.5
signToolCert: Сертификат соответствия № СФ/121-1859 от 17.06.2012
cAToolCert : Сертификат соответствия № СФ/128-1822 от 01.06.2012
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
6B:00:86:83:89:D2:00:CF:56:B8:6B:E4:E3:36:10:1E:1F:72:AE:C3
1.3.6.1.4.1.311.21.1:
...
X509v3 Certificate Policies:
Policy: 1.2.643.100.113.1
Policy: 1.2.643.100.113.2
Policy: X509v3 Any Policy
Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
Signature Value:
bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0:13:1a:
21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9:79:09:15:a2:
41:c0:60:e1:1d:3f:25:8d:88:f4:4c:60:f3:0f:4e:e3:29:6e:
b8:6e:01:b4:03:2c:07:8f:27:37
-----BEGIN CERTIFICATE-----
MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw
FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4
MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ
tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1
MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG
A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi
MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz
ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3
OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx
0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq
hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI
DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa
BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj
0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA
BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W
eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/
0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB
KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu
NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa
0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR
gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv
MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR
gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw
MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE
HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f
Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j
KW64bgG0AywHjyc3
-----END CERTIFICATE-----

67
test/recipes/25-test_rusext_data/grfc.utf8 Normal file

@ -0,0 +1,67 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:8c:40:93:bb:e6:93:bd:43:0b:f5:18:26:03:1d:05
Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
Issuer: OGRN=1027739334479, INN=007706228218, street=Дербеневская наб. д. 7 стр. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 г. Москва, L=Москва, O=ФГУП "ГРЧЦ", CN=УЦ ФГУП "ГРЧЦ"
Validity
Not Before: Mar 12 07:38:26 2013 GMT
Not After : Mar 12 07:46:00 2028 GMT
Subject: OGRN=1027739334479, INN=007706228218, street=Дербеневская наб. д. 7 стр. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 г. Москва, L=Москва, O=ФГУП "ГРЧЦ", CN=УЦ ФГУП "ГРЧЦ"
X509v3 extensions:
Signing Tool of Subject:
"КриптоПро CSP" (версия 3.6)
Signing Tool of Issuer:
signTool : "КриптоПро CSP" (версия 3.6)
cATool : "Удостоверяющий центр "КриптоПро УЦ" версии 1.5
signToolCert: Сертификат соответствия № СФ/121-1859 от 17.06.2012
cAToolCert : Сертификат соответствия № СФ/128-1822 от 01.06.2012
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
6B:00:86:83:89:D2:00:CF:56:B8:6B:E4:E3:36:10:1E:1F:72:AE:C3
1.3.6.1.4.1.311.21.1:
...
X509v3 Certificate Policies:
Policy: 1.2.643.100.113.1
Policy: 1.2.643.100.113.2
Policy: X509v3 Any Policy
Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
Signature Value:
bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0:13:1a:
21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9:79:09:15:a2:
41:c0:60:e1:1d:3f:25:8d:88:f4:4c:60:f3:0f:4e:e3:29:6e:
b8:6e:01:b4:03:2c:07:8f:27:37
-----BEGIN CERTIFICATE-----
MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw
FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4
MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ
tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1
MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG
A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi
MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz
ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3
OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx
0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq
hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI
DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa
BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj
0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA
BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W
eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/
0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB
KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu
NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa
0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR
gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv
MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR
gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw
MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE
HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f
Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j
KW64bgG0AywHjyc3
-----END CERTIFICATE-----

5
util/libcrypto.num

@ -4950,6 +4950,11 @@ EVP_PKEY_CTX_set0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION:EC
EVP_PKEY_CTX_get0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION:EC
EVP_PKEY_CTX_set_rsa_pss_saltlen ? 3_0_0 EXIST::FUNCTION:RSA
EVP_PKEY_CTX_get_rsa_pss_saltlen ? 3_0_0 EXIST::FUNCTION:RSA
d2i_ISSUER_SIGN_TOOL ? 3_0_0 EXIST::FUNCTION:
i2d_ISSUER_SIGN_TOOL ? 3_0_0 EXIST::FUNCTION:
ISSUER_SIGN_TOOL_free ? 3_0_0 EXIST::FUNCTION:
ISSUER_SIGN_TOOL_new ? 3_0_0 EXIST::FUNCTION:
ISSUER_SIGN_TOOL_it ? 3_0_0 EXIST::FUNCTION:
OSSL_SELF_TEST_new ? 3_0_0 EXIST::FUNCTION:
OSSL_SELF_TEST_free ? 3_0_0 EXIST::FUNCTION:
OSSL_SELF_TEST_onbegin ? 3_0_0 EXIST::FUNCTION: