Add ESSCertIDv2 ASN.1 boilerplate

Guard the new code under LIBRESSL_INTERNAL to defer symbol addition and
minor library bump (thanks tb).

ts/ts.h bits from
	RFC 5035 Enhanced Security Services (ESS) Update:
	    Adding CertID Algorithm Agility

ts/ts_asn1.c bits expanded from
	ASN1_SEQUENCE(ESS_CERT_ID_V2) = {
	        ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR),
	        ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING),
	        ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL)
	} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2)

	IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2)
	IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)

	ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
	        ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
	        ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
	} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)

	IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2)
	IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)

Feedback OK tb

diff --git a/lib/libcrypto/ts/ts.h b/lib/libcrypto/ts/ts.h
index b2fe32b..6d4b2dd 100644 (file)
--- a/lib/libcrypto/ts/ts.h
+++ b/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.12 2022/07/16 15:02:29 kn Exp $ */
+/* $OpenBSD: ts.h,v 1.13 2022/07/16 18:36:36 kn Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
  * project 2002, 2003, 2004.
  */
@@ -264,6 +264,34 @@ typedef struct ESS_signing_cert {
        STACK_OF(POLICYINFO) *policy_info;
 } ESS_SIGNING_CERT;
 
+#ifdef LIBRESSL_INTERNAL
+/*
+ * ESSCertIDv2 ::=  SEQUENCE {
+ *     hashAlgorithm           AlgorithmIdentifier
+ *            DEFAULT {algorithm id-sha256},
+ *     certHash                 Hash,
+ *     issuerSerial             IssuerSerial OPTIONAL }
+ */
+
+typedef struct ESS_cert_id_v2 {
+       X509_ALGOR *hash_alg;   /* Default SHA-256. */
+       ASN1_OCTET_STRING *hash;
+       ESS_ISSUER_SERIAL *issuer_serial;
+} ESS_CERT_ID_V2;
+
+DECLARE_STACK_OF(ESS_CERT_ID_V2)
+
+/*
+ * SigningCertificateV2 ::=  SEQUENCE {
+ *     certs        SEQUENCE OF ESSCertIDv2,
+ *     policies     SEQUENCE OF PolicyInformation OPTIONAL }
+ */
+
+typedef struct ESS_signing_cert_v2 {
+       STACK_OF(ESS_CERT_ID_V2) *cert_ids;
+       STACK_OF(POLICYINFO) *policy_info;
+} ESS_SIGNING_CERT_V2;
+#endif /* LIBRESSL_INTERNAL */
 
 TS_REQ *TS_REQ_new(void);
 void   TS_REQ_free(TS_REQ *a);
@@ -351,6 +379,23 @@ ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
                    const unsigned char **pp, long length);
 ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
 
+#ifdef LIBRESSL_INTERNAL
+ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void);
+void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a);
+int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp);
+ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **pp,
+    long length);
+ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a);
+
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void);
+void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a);
+int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a,
+    unsigned char **pp);
+ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a,
+    const unsigned char **pp, long length);
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a);
+#endif /* LIBRESSL_INTERNAL */
+
 int TS_REQ_set_version(TS_REQ *a, long version);
 long TS_REQ_get_version(const TS_REQ *a);
 

diff --git a/lib/libcrypto/ts/ts_asn1.c b/lib/libcrypto/ts/ts_asn1.c
index bc89f13..c4316d1 100644 (file)
--- a/lib/libcrypto/ts/ts_asn1.c
+++ b/lib/libcrypto/ts/ts_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_asn1.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ts_asn1.c,v 1.12 2022/07/16 18:36:36 kn Exp $ */
 /* Written by Nils Larsch for the OpenSSL project 2004.
  */
 /* ====================================================================
@@ -846,6 +846,129 @@ ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *x)
        return ASN1_item_dup(&ESS_SIGNING_CERT_it, x);
 }
 
+static const ASN1_TEMPLATE ESS_CERT_ID_V2_seq_tt[] = {
+       {
+               .flags = ASN1_TFLG_OPTIONAL,
+               .tag = 0,
+               .offset = offsetof(ESS_CERT_ID_V2, hash_alg),
+               .field_name = "hash_alg",
+               .item = &X509_ALGOR_it,
+       },
+       {
+               .flags = 0,
+               .tag = 0,
+               .offset = offsetof(ESS_CERT_ID_V2, hash),
+               .field_name = "hash",
+               .item = &ASN1_OCTET_STRING_it,
+       },
+       {
+               .flags = ASN1_TFLG_OPTIONAL,
+               .tag = 0,
+               .offset = offsetof(ESS_CERT_ID_V2, issuer_serial),
+               .field_name = "issuer_serial",
+               .item = &ESS_ISSUER_SERIAL_it,
+       },
+};
+
+static const ASN1_ITEM ESS_CERT_ID_V2_it = {
+       .itype = ASN1_ITYPE_SEQUENCE,
+       .utype = V_ASN1_SEQUENCE,
+       .templates = ESS_CERT_ID_V2_seq_tt,
+       .tcount = sizeof(ESS_CERT_ID_V2_seq_tt) / sizeof(ASN1_TEMPLATE),
+       .funcs = NULL,
+       .size = sizeof(ESS_CERT_ID_V2),
+       .sname = "ESS_CERT_ID_V2",
+};
+
+ESS_CERT_ID_V2 *
+d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **in, long len)
+{
+       return (ESS_CERT_ID_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+           &ESS_CERT_ID_V2_it);
+}
+
+int
+i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **out)
+{
+       return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_CERT_ID_V2_it);
+}
+
+ESS_CERT_ID_V2 *
+ESS_CERT_ID_V2_new(void)
+{
+       return (ESS_CERT_ID_V2 *)ASN1_item_new(&ESS_CERT_ID_V2_it);
+}
+
+void
+ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a)
+{
+       ASN1_item_free((ASN1_VALUE *)a, &ESS_CERT_ID_V2_it);
+}
+
+ESS_CERT_ID_V2 *
+ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *x)
+{
+       return ASN1_item_dup(&ESS_CERT_ID_V2_it, x);
+}
+
+static const ASN1_TEMPLATE ESS_SIGNING_CERT_V2_seq_tt[] = {
+       {
+               .flags = ASN1_TFLG_SEQUENCE_OF,
+               .tag = 0,
+               .offset = offsetof(ESS_SIGNING_CERT_V2, cert_ids),
+               .field_name = "cert_ids",
+               .item = &ESS_CERT_ID_V2_it,
+       },
+       {
+               .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+               .tag = 0,
+               .offset = offsetof(ESS_SIGNING_CERT_V2, policy_info),
+               .field_name = "policy_info",
+               .item = &POLICYINFO_it,
+       },
+};
+
+static const ASN1_ITEM ESS_SIGNING_CERT_V2_it = {
+       .itype = ASN1_ITYPE_SEQUENCE,
+       .utype = V_ASN1_SEQUENCE,
+       .templates = ESS_SIGNING_CERT_V2_seq_tt,
+       .tcount = sizeof(ESS_SIGNING_CERT_V2_seq_tt) / sizeof(ASN1_TEMPLATE),
+       .funcs = NULL,
+       .size = sizeof(ESS_SIGNING_CERT_V2),
+       .sname = "ESS_SIGNING_CERT_V2",
+};
+
+ESS_SIGNING_CERT_V2 *
+d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, const unsigned char **in, long len)
+{
+       return (ESS_SIGNING_CERT_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+           &ESS_SIGNING_CERT_V2_it);
+}
+
+int
+i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **out)
+{
+       return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_SIGNING_CERT_V2_it);
+}
+
+ESS_SIGNING_CERT_V2 *
+ESS_SIGNING_CERT_V2_new(void)
+{
+       return (ESS_SIGNING_CERT_V2 *)ASN1_item_new(&ESS_SIGNING_CERT_V2_it);
+}
+
+void
+ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a)
+{
+       ASN1_item_free((ASN1_VALUE *)a, &ESS_SIGNING_CERT_V2_it);
+}
+
+ESS_SIGNING_CERT_V2 *
+ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *x)
+{
+       return ASN1_item_dup(&ESS_SIGNING_CERT_V2_it, x);
+}
+
 /* Getting encapsulated TS_TST_INFO object from PKCS7. */
 TS_TST_INFO *
 PKCS7_to_TS_TST_INFO(PKCS7 *token)