From: kn <kn@openbsd.org>
Date: Sat, 16 Jul 2022 18:36:36 +0000 (+0000)
Subject: Add ESSCertIDv2 ASN.1 boilerplate
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=ba539a43659d46be5767f3629998d4a3bef0809e;p=openbsd

Add ESSCertIDv2 ASN.1 boilerplate

Guard the new code under LIBRESSL_INTERNAL to defer symbol addition and
minor library bump (thanks tb).

ts/ts.h bits from
	RFC 5035 Enhanced Security Services (ESS) Update:
	    Adding CertID Algorithm Agility

ts/ts_asn1.c bits expanded from
	ASN1_SEQUENCE(ESS_CERT_ID_V2) = {
	        ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR),
	        ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING),
	        ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL)
	} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2)

	IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2)
	IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)

	ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
	        ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
	        ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
	} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)

	IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2)
	IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)

Feedback OK tb
---

diff --git a/lib/libcrypto/ts/ts.h b/lib/libcrypto/ts/ts.h
index b2fe32bf771..6d4b2dd3a60 100644
--- a/lib/libcrypto/ts/ts.h
+++ b/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.12 2022/07/16 15:02:29 kn Exp $ */
+/* $OpenBSD: ts.h,v 1.13 2022/07/16 18:36:36 kn Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
  * project 2002, 2003, 2004.
  */
@@ -264,6 +264,34 @@ typedef struct ESS_signing_cert {
 	STACK_OF(POLICYINFO) *policy_info;
 } ESS_SIGNING_CERT;
 
+#ifdef LIBRESSL_INTERNAL
+/*
+ * ESSCertIDv2 ::=  SEQUENCE {
+ *     hashAlgorithm           AlgorithmIdentifier
+ *            DEFAULT {algorithm id-sha256},
+ *     certHash                 Hash,
+ *     issuerSerial             IssuerSerial OPTIONAL }
+ */
+
+typedef struct ESS_cert_id_v2 {
+	X509_ALGOR *hash_alg;	/* Default SHA-256. */
+	ASN1_OCTET_STRING *hash;
+	ESS_ISSUER_SERIAL *issuer_serial;
+} ESS_CERT_ID_V2;
+
+DECLARE_STACK_OF(ESS_CERT_ID_V2)
+
+/*
+ * SigningCertificateV2 ::=  SEQUENCE {
+ *     certs        SEQUENCE OF ESSCertIDv2,
+ *     policies     SEQUENCE OF PolicyInformation OPTIONAL }
+ */
+
+typedef struct ESS_signing_cert_v2 {
+	STACK_OF(ESS_CERT_ID_V2) *cert_ids;
+	STACK_OF(POLICYINFO) *policy_info;
+} ESS_SIGNING_CERT_V2;
+#endif /* LIBRESSL_INTERNAL */
 
 TS_REQ	*TS_REQ_new(void);
 void	TS_REQ_free(TS_REQ *a);
@@ -351,6 +379,23 @@ ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
 		    const unsigned char **pp, long length);
 ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
 
+#ifdef LIBRESSL_INTERNAL
+ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void);
+void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a);
+int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp);
+ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **pp,
+    long length);
+ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a);
+
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void);
+void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a);
+int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a,
+    unsigned char **pp);
+ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a,
+    const unsigned char **pp, long length);
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a);
+#endif /* LIBRESSL_INTERNAL */
+
 int TS_REQ_set_version(TS_REQ *a, long version);
 long TS_REQ_get_version(const TS_REQ *a);
 
diff --git a/lib/libcrypto/ts/ts_asn1.c b/lib/libcrypto/ts/ts_asn1.c
index bc89f1368af..c4316d13f84 100644
--- a/lib/libcrypto/ts/ts_asn1.c
+++ b/lib/libcrypto/ts/ts_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_asn1.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ts_asn1.c,v 1.12 2022/07/16 18:36:36 kn Exp $ */
 /* Written by Nils Larsch for the OpenSSL project 2004.
  */
 /* ====================================================================
@@ -846,6 +846,129 @@ ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *x)
 	return ASN1_item_dup(&ESS_SIGNING_CERT_it, x);
 }
 
+static const ASN1_TEMPLATE ESS_CERT_ID_V2_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(ESS_CERT_ID_V2, hash_alg),
+		.field_name = "hash_alg",
+		.item = &X509_ALGOR_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(ESS_CERT_ID_V2, hash),
+		.field_name = "hash",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(ESS_CERT_ID_V2, issuer_serial),
+		.field_name = "issuer_serial",
+		.item = &ESS_ISSUER_SERIAL_it,
+	},
+};
+
+static const ASN1_ITEM ESS_CERT_ID_V2_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = ESS_CERT_ID_V2_seq_tt,
+	.tcount = sizeof(ESS_CERT_ID_V2_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(ESS_CERT_ID_V2),
+	.sname = "ESS_CERT_ID_V2",
+};
+
+ESS_CERT_ID_V2 *
+d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **in, long len)
+{
+	return (ESS_CERT_ID_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &ESS_CERT_ID_V2_it);
+}
+
+int
+i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_CERT_ID_V2_it);
+}
+
+ESS_CERT_ID_V2 *
+ESS_CERT_ID_V2_new(void)
+{
+	return (ESS_CERT_ID_V2 *)ASN1_item_new(&ESS_CERT_ID_V2_it);
+}
+
+void
+ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &ESS_CERT_ID_V2_it);
+}
+
+ESS_CERT_ID_V2 *
+ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *x)
+{
+	return ASN1_item_dup(&ESS_CERT_ID_V2_it, x);
+}
+
+static const ASN1_TEMPLATE ESS_SIGNING_CERT_V2_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF,
+		.tag = 0,
+		.offset = offsetof(ESS_SIGNING_CERT_V2, cert_ids),
+		.field_name = "cert_ids",
+		.item = &ESS_CERT_ID_V2_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(ESS_SIGNING_CERT_V2, policy_info),
+		.field_name = "policy_info",
+		.item = &POLICYINFO_it,
+	},
+};
+
+static const ASN1_ITEM ESS_SIGNING_CERT_V2_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = ESS_SIGNING_CERT_V2_seq_tt,
+	.tcount = sizeof(ESS_SIGNING_CERT_V2_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(ESS_SIGNING_CERT_V2),
+	.sname = "ESS_SIGNING_CERT_V2",
+};
+
+ESS_SIGNING_CERT_V2 *
+d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, const unsigned char **in, long len)
+{
+	return (ESS_SIGNING_CERT_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &ESS_SIGNING_CERT_V2_it);
+}
+
+int
+i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_SIGNING_CERT_V2_it);
+}
+
+ESS_SIGNING_CERT_V2 *
+ESS_SIGNING_CERT_V2_new(void)
+{
+	return (ESS_SIGNING_CERT_V2 *)ASN1_item_new(&ESS_SIGNING_CERT_V2_it);
+}
+
+void
+ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &ESS_SIGNING_CERT_V2_it);
+}
+
+ESS_SIGNING_CERT_V2 *
+ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *x)
+{
+	return ASN1_item_dup(&ESS_SIGNING_CERT_V2_it, x);
+}
+
 /* Getting encapsulated TS_TST_INFO object from PKCS7. */
 TS_TST_INFO *
 PKCS7_to_TS_TST_INFO(PKCS7 *token)