Introduce X509_get0_uids() accessor function

By introducing X509_get0_uids(), one can add RPKI profile compliance
checks to conform the absence of the issuerUID and subjectUID.

OK tb@ jsing@

diff --git a/lib/libcrypto/Symbols.namespace b/lib/libcrypto/Symbols.namespace
index b4be562..c68e897 100644 (file)
--- a/lib/libcrypto/Symbols.namespace
+++ b/lib/libcrypto/Symbols.namespace
@@ -341,6 +341,7 @@ _libre_X509_TRUST_set
 _libre_X509_NAME_oneline
 _libre_X509_get0_extensions
 _libre_X509_get0_tbs_sigalg
+_libre_X509_get0_uids
 _libre_X509_set_version
 _libre_X509_get_version
 _libre_X509_set_serialNumber

diff --git a/lib/libcrypto/hidden/openssl/x509.h b/lib/libcrypto/hidden/openssl/x509.h
index 59af41f..cdd09b4 100644 (file)
--- a/lib/libcrypto/hidden/openssl/x509.h
+++ b/lib/libcrypto/hidden/openssl/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.1 2022/11/14 17:48:49 beck Exp $ */
+/* $OpenBSD: x509.h,v 1.2 2023/02/23 18:12:32 job Exp $ */
 /*
  * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
  *
@@ -105,6 +105,7 @@ LCRYPTO_USED(X509_TRUST_set);
 LCRYPTO_USED(X509_NAME_oneline);
 LCRYPTO_USED(X509_get0_extensions);
 LCRYPTO_USED(X509_get0_tbs_sigalg);
+LCRYPTO_USED(X509_get0_uids);
 LCRYPTO_USED(X509_set_version);
 LCRYPTO_USED(X509_get_version);
 LCRYPTO_USED(X509_set_serialNumber);

diff --git a/lib/libcrypto/man/X509V3_get_d2i.3 b/lib/libcrypto/man/X509V3_get_d2i.3
index 4e1a003..30f03c6 100644 (file)
--- a/lib/libcrypto/man/X509V3_get_d2i.3
+++ b/lib/libcrypto/man/X509V3_get_d2i.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_get_d2i.3,v 1.19 2021/07/12 14:54:00 schwarze Exp $
+.\" $OpenBSD: X509V3_get_d2i.3,v 1.20 2023/02/23 18:12:32 job Exp $
 .\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 12 2021 $
+.Dd $Mdocdate: February 23 2023 $
 .Dt X509V3_GET_D2I 3
 .Os
 .Sh NAME
@@ -65,7 +65,8 @@
 .Nm X509_REVOKED_add1_ext_i2d ,
 .Nm X509_get0_extensions ,
 .Nm X509_CRL_get0_extensions ,
-.Nm X509_REVOKED_get0_extensions
+.Nm X509_REVOKED_get0_extensions ,
+.Nm X509_get0_uids
 .Nd X509 extension decode and encode functions
 .Sh SYNOPSIS
 .In openssl/x509v3.h
@@ -151,6 +152,12 @@
 .Fo X509_REVOKED_get0_extensions
 .Fa "const X509_REVOKED *r"
 .Fc
+.Ft void
+.Fo X509_get0_uids
+.Fa "const X509 *x"
+.Fa "const ASN1_BIT_STRING **piuid"
+.Fa "const ASN1_BIT_STRING **psuid"
+.Fc
 .Sh DESCRIPTION
 .Fn X509V3_get_d2i
 looks for an extension with OID
@@ -300,6 +307,16 @@ if the extension is not found, occurs multiple times or cannot be
 decoded.
 It is possible to determine the precise reason by checking the value of
 .Pf * Fa crit .
+.Pp
+.Fn X509_get0_uids
+sets
+.Fa *piuid
+and
+.Fa *psuid
+to the issuer and subject unique identifiers of certificate
+.Fa x
+or NULL if the fields are not present.
+These fields are rarely used.
 .Sh SUPPORTED EXTENSIONS
 The following sections contain a list of all supported extensions
 including their name and NID.
@@ -449,3 +466,7 @@ and
 .Fn X509_REVOKED_get0_extensions
 first appeared in OpenSSL 1.1.0 and have been available since
 .Ox 6.3 .
+.Pp
+.Fn X509_get0_uids
+first appeared in OpenSSL 1.1.0 and has been available since
+.Ox 7.3 .

diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h
index 4ecad06..e31f718 100644 (file)
--- a/lib/libcrypto/x509/x509.h
+++ b/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.92 2022/12/26 16:00:36 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.93 2023/02/23 18:12:32 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -771,6 +771,10 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
 #endif
 
 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
+#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API)
+void           X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
+                   const ASN1_BIT_STRING **psuid);
+#endif
 const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
 int            X509_set_version(X509 *x, long version);
 long           X509_get_version(const X509 *x);

diff --git a/lib/libcrypto/x509/x509_set.c b/lib/libcrypto/x509/x509_set.c
index e65ffb3..19e0f2b 100644 (file)
--- a/lib/libcrypto/x509/x509_set.c
+++ b/lib/libcrypto/x509/x509_set.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_set.c,v 1.23 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_set.c,v 1.24 2023/02/23 18:12:32 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -242,3 +242,14 @@ X509_get_X509_PUBKEY(const X509 *x)
        return x->cert_info->key;
 }
 LCRYPTO_ALIAS(X509_get_X509_PUBKEY);
+
+void
+X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
+    const ASN1_BIT_STRING **psuid)
+{
+       if (piuid != NULL)
+               *piuid = x->cert_info->issuerUID;
+       if (psuid != NULL)
+               *psuid = x->cert_info->subjectUID;
+}
+LCRYPTO_ALIAS(X509_get0_uids);