From cccdf41010d0859a0d134ac45be7218d9ffd90d2 Mon Sep 17 00:00:00 2001 From: "Jonathan M. Wilbur" Date: Wed, 11 Sep 2024 02:24:12 +0000 Subject: [PATCH] feat: support the attributeDescriptor X.509v3 extension Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25429) --- crypto/x509/build.info | 2 +- crypto/x509/ext_dat.h | 1 + crypto/x509/standard_exts.h | 1 + crypto/x509/v3_attrdesc.c | 191 ++++++++++++++++++++++++++++++++++++ include/openssl/x509v3.h.in | 39 ++++++++ 5 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 crypto/x509/v3_attrdesc.c diff --git a/crypto/x509/build.info b/crypto/x509/build.info index 9d15c481fd..3441f49016 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -18,7 +18,7 @@ SOURCE[../../libcrypto]=\ v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \ x509_acert.c x509aset.c t_acert.c x_ietfatt.c v3_ac_tgt.c v3_sda.c \ v3_usernotice.c v3_battcons.c v3_audit_id.c v3_iobo.c v3_authattid.c \ - v3_rolespec.c + v3_rolespec.c v3_attrdesc.c IF[{- !$disabled{'deprecated-3.0'} -}] SOURCE[../../libcrypto]=x509type.c diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h index b670e3843a..24f381e0ce 100644 --- a/crypto/x509/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -44,3 +44,4 @@ extern const X509V3_EXT_METHOD ossl_v3_audit_identity; extern const X509V3_EXT_METHOD ossl_v3_issued_on_behalf_of; extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier; extern const X509V3_EXT_METHOD ossl_v3_role_spec_cert_identifier; +extern const X509V3_EXT_METHOD ossl_v3_attribute_descriptor; diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h index 19e5eab161..482d4e6256 100644 --- a/crypto/x509/standard_exts.h +++ b/crypto/x509/standard_exts.h @@ -80,6 +80,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = { &ossl_v3_role_spec_cert_identifier, &ossl_v3_battcons, &ossl_v3_delegated_name_constraints, + &ossl_v3_attribute_descriptor, &ossl_v3_user_notice, &ossl_v3_soa_identifier, &ossl_v3_acc_cert_policies, diff --git a/crypto/x509/v3_attrdesc.c b/crypto/x509/v3_attrdesc.c new file mode 100644 index 0000000000..85509fc402 --- /dev/null +++ b/crypto/x509/v3_attrdesc.c @@ -0,0 +1,191 @@ +/* + * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "ext_dat.h" + +ASN1_SEQUENCE(OSSL_HASH) = { + ASN1_SIMPLE(OSSL_HASH, algorithmIdentifier, X509_ALGOR), + ASN1_OPT(OSSL_HASH, hashValue, ASN1_BIT_STRING), +} ASN1_SEQUENCE_END(OSSL_HASH) + +ASN1_SEQUENCE(OSSL_INFO_SYNTAX_POINTER) = { + ASN1_SIMPLE(OSSL_INFO_SYNTAX_POINTER, name, GENERAL_NAMES), + ASN1_OPT(OSSL_INFO_SYNTAX_POINTER, hash, OSSL_HASH), +} ASN1_SEQUENCE_END(OSSL_INFO_SYNTAX_POINTER) + +ASN1_CHOICE(OSSL_INFO_SYNTAX) = { + ASN1_SIMPLE(OSSL_INFO_SYNTAX, choice.content, DIRECTORYSTRING), + ASN1_SIMPLE(OSSL_INFO_SYNTAX, choice.pointer, OSSL_INFO_SYNTAX_POINTER) +} ASN1_CHOICE_END(OSSL_INFO_SYNTAX) + +ASN1_SEQUENCE(OSSL_PRIVILEGE_POLICY_ID) = { + ASN1_SIMPLE(OSSL_PRIVILEGE_POLICY_ID, privilegePolicy, ASN1_OBJECT), + ASN1_SIMPLE(OSSL_PRIVILEGE_POLICY_ID, privPolSyntax, OSSL_INFO_SYNTAX), +} ASN1_SEQUENCE_END(OSSL_PRIVILEGE_POLICY_ID) + +ASN1_SEQUENCE(OSSL_ATTRIBUTE_DESCRIPTOR) = { + ASN1_SIMPLE(OSSL_ATTRIBUTE_DESCRIPTOR, identifier, ASN1_OBJECT), + ASN1_SIMPLE(OSSL_ATTRIBUTE_DESCRIPTOR, attributeSyntax, ASN1_OCTET_STRING), + ASN1_IMP_OPT(OSSL_ATTRIBUTE_DESCRIPTOR, name, ASN1_UTF8STRING, 0), + ASN1_IMP_OPT(OSSL_ATTRIBUTE_DESCRIPTOR, description, ASN1_UTF8STRING, 1), + ASN1_SIMPLE(OSSL_ATTRIBUTE_DESCRIPTOR, dominationRule, OSSL_PRIVILEGE_POLICY_ID), +} ASN1_SEQUENCE_END(OSSL_ATTRIBUTE_DESCRIPTOR) + +IMPLEMENT_ASN1_FUNCTIONS(OSSL_HASH) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_INFO_SYNTAX) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_INFO_SYNTAX_POINTER) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_PRIVILEGE_POLICY_ID) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_ATTRIBUTE_DESCRIPTOR) + +/* Copied from x_attrib.c */ +static int print_hex(BIO *out, unsigned char *buf, int len) +{ + int result = 1; + char *hexbuf; + + if (len == 0) + return 1; + + hexbuf = OPENSSL_buf2hexstr(buf, len); + if (hexbuf == NULL) + return 0; + result = BIO_puts(out, hexbuf) > 0; + + OPENSSL_free(hexbuf); + return result; +} + +static int i2r_HASH(X509V3_EXT_METHOD *method, + OSSL_HASH *hash, + BIO *out, int indent) +{ + if (BIO_printf(out, "%*sAlgorithm: ", indent, "") <= 0) + return 0; + if (i2a_ASN1_OBJECT(out, hash->algorithmIdentifier->algorithm) <= 0) + return 0; + if (BIO_puts(out, "\n") <= 0) + return 0; + if (hash->algorithmIdentifier->parameter) { + if (BIO_printf(out, "%*sParameter: ", indent, "") <= 0) + return 0; + if (ossl_print_attribute_value(out, 0, hash->algorithmIdentifier->parameter, + indent + 4) <= 0) + return 0; + if (BIO_puts(out, "\n") <= 0) + return 0; + } + if (BIO_printf(out, "%*sHash Value: ", indent, "") <= 0) + return 0; + return print_hex(out, hash->hashValue->data, hash->hashValue->length); +} + +static int i2r_INFO_SYNTAX_POINTER(X509V3_EXT_METHOD *method, + OSSL_INFO_SYNTAX_POINTER *pointer, + BIO *out, int indent) +{ + if (BIO_printf(out, "%*sNames:\n", indent, "") <= 0) + return 0; + if (OSSL_GENERAL_NAMES_print(out, pointer->name, indent) <= 0) + return 0; + if (BIO_puts(out, "\n") <= 0) + return 0; + if (pointer->hash != NULL) { + if (BIO_printf(out, "%*sHash:\n", indent, "") <= 0) + return 0; + if (i2r_HASH(method, pointer->hash, out, indent + 4) <= 0) + return 0; + } + return 1; +} + +static int i2r_OSSL_INFO_SYNTAX(X509V3_EXT_METHOD *method, + OSSL_INFO_SYNTAX *info, + BIO *out, int indent) +{ + switch (info->type) { + case (OSSL_INFO_SYNTAX_TYPE_CONTENT): + if (BIO_printf(out, "%*sContent: ", indent, "") <= 0) + return 0; + if (BIO_printf(out, "%.*s", info->choice.content->length, info->choice.content->data) <= 0) + return 0; + if (BIO_puts(out, "\n") <= 0) + return 0; + return 1; + case (OSSL_INFO_SYNTAX_TYPE_POINTER): + if (BIO_printf(out, "%*sPointer:\n", indent, "") <= 0) + return 0; + return i2r_INFO_SYNTAX_POINTER(method, info->choice.pointer, out, indent + 4); + default: + return 0; + } + return 0; +} + +static int i2r_OSSL_PRIVILEGE_POLICY_ID(X509V3_EXT_METHOD *method, + OSSL_PRIVILEGE_POLICY_ID *ppid, + BIO *out, int indent) +{ + char buf[80]; + + /* Intentionally display the numeric OID, rather than the textual name. */ + if (OBJ_obj2txt(buf, sizeof(buf), ppid->privilegePolicy, 1) <= 0) + return 0; + if (BIO_printf(out, "%*sPrivilege Policy Identifier: %s\n", indent, "", buf) <= 0) + return 0; + if (BIO_printf(out, "%*sPrivilege Policy Syntax:\n", indent, "") <= 0) + return 0; + return i2r_OSSL_INFO_SYNTAX(method, ppid->privPolSyntax, out, indent + 4); +} + +static int i2r_OSSL_ATTRIBUTE_DESCRIPTOR(X509V3_EXT_METHOD *method, + OSSL_ATTRIBUTE_DESCRIPTOR *ad, + BIO *out, int indent) +{ + char buf[80]; + + /* Intentionally display the numeric OID, rather than the textual name. */ + if (OBJ_obj2txt(buf, sizeof(buf), ad->identifier, 1) <= 0) + return 0; + if (BIO_printf(out, "%*sIdentifier: %s\n", indent, "", buf) <= 0) + return 0; + if (BIO_printf(out, "%*sSyntax:\n", indent, "") <= 0) + return 0; + if (BIO_printf(out, "%*s%.*s", indent + 4, "", + ad->attributeSyntax->length, ad->attributeSyntax->data) <= 0) + return 0; + if (BIO_puts(out, "\n\n") <= 0) + return 0; + if (ad->name != NULL) { + if (BIO_printf(out, "%*sName: %.*s\n", indent, "", ad->name->length, ad->name->data) <= 0) + return 0; + } + if (ad->description != NULL) { + if (BIO_printf(out, "%*sDescription: %.*s\n", indent, "", + ad->description->length, ad->description->data) <= 0) + return 0; + } + if (BIO_printf(out, "%*sDomination Rule:\n", indent, "") <= 0) + return 0; + return i2r_OSSL_PRIVILEGE_POLICY_ID(method, ad->dominationRule, out, indent + 4); +} + +const X509V3_EXT_METHOD ossl_v3_attribute_descriptor = { + NID_attribute_descriptor, X509V3_EXT_MULTILINE, + ASN1_ITEM_ref(OSSL_ATTRIBUTE_DESCRIPTOR), + 0, 0, 0, 0, + 0, 0, + 0, + 0, + (X509V3_EXT_I2R)i2r_OSSL_ATTRIBUTE_DESCRIPTOR, + NULL, + NULL +}; diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index 5e0605fe9c..6bd5792c92 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -1052,6 +1052,45 @@ DECLARE_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID) typedef STACK_OF(OSSL_ROLE_SPEC_CERT_ID) OSSL_ROLE_SPEC_CERT_ID_SYNTAX; DECLARE_ASN1_FUNCTIONS(OSSL_ROLE_SPEC_CERT_ID_SYNTAX) +typedef struct OSSL_HASH_st { + X509_ALGOR *algorithmIdentifier; + ASN1_BIT_STRING *hashValue; +} OSSL_HASH; + +typedef struct OSSL_INFO_SYNTAX_POINTER_st { + GENERAL_NAMES *name; + OSSL_HASH *hash; +} OSSL_INFO_SYNTAX_POINTER; + +# define OSSL_INFO_SYNTAX_TYPE_CONTENT 0 +# define OSSL_INFO_SYNTAX_TYPE_POINTER 1 + +typedef struct OSSL_INFO_SYNTAX_st { + int type; + union { + ASN1_STRING *content; + OSSL_INFO_SYNTAX_POINTER *pointer; + } choice; +} OSSL_INFO_SYNTAX; + +typedef struct OSSL_PRIVILEGE_POLICY_ID_st { + ASN1_OBJECT *privilegePolicy; + OSSL_INFO_SYNTAX *privPolSyntax; +} OSSL_PRIVILEGE_POLICY_ID; + +typedef struct OSSL_ATTRIBUTE_DESCRIPTOR_st { + ASN1_OBJECT *identifier; + ASN1_STRING *attributeSyntax; + ASN1_UTF8STRING *name; + ASN1_UTF8STRING *description; + OSSL_PRIVILEGE_POLICY_ID *dominationRule; +} OSSL_ATTRIBUTE_DESCRIPTOR; + +DECLARE_ASN1_FUNCTIONS(OSSL_HASH) +DECLARE_ASN1_FUNCTIONS(OSSL_INFO_SYNTAX) +DECLARE_ASN1_FUNCTIONS(OSSL_INFO_SYNTAX_POINTER) +DECLARE_ASN1_FUNCTIONS(OSSL_PRIVILEGE_POLICY_ID) +DECLARE_ASN1_FUNCTIONS(OSSL_ATTRIBUTE_DESCRIPTOR) # ifdef __cplusplus }