From 8b6dc78cd2c7bb25ed687e3e9cf9c45ab5aa824d Mon Sep 17 00:00:00 2001 From: job Date: Thu, 23 Feb 2023 18:12:32 +0000 Subject: [PATCH] Introduce X509_get0_uids() accessor function By introducing X509_get0_uids(), one can add RPKI profile compliance checks to conform the absence of the issuerUID and subjectUID. OK tb@ jsing@ --- lib/libcrypto/Symbols.namespace | 1 + lib/libcrypto/hidden/openssl/x509.h | 3 ++- lib/libcrypto/man/X509V3_get_d2i.3 | 27 ++++++++++++++++++++++++--- lib/libcrypto/x509/x509.h | 6 +++++- lib/libcrypto/x509/x509_set.c | 13 ++++++++++++- 5 files changed, 44 insertions(+), 6 deletions(-) diff --git a/lib/libcrypto/Symbols.namespace b/lib/libcrypto/Symbols.namespace index b4be562f6a8..c68e8970de1 100644 --- a/lib/libcrypto/Symbols.namespace +++ b/lib/libcrypto/Symbols.namespace @@ -341,6 +341,7 @@ _libre_X509_TRUST_set _libre_X509_NAME_oneline _libre_X509_get0_extensions _libre_X509_get0_tbs_sigalg +_libre_X509_get0_uids _libre_X509_set_version _libre_X509_get_version _libre_X509_set_serialNumber diff --git a/lib/libcrypto/hidden/openssl/x509.h b/lib/libcrypto/hidden/openssl/x509.h index 59af41f9172..cdd09b40622 100644 --- a/lib/libcrypto/hidden/openssl/x509.h +++ b/lib/libcrypto/hidden/openssl/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.1 2022/11/14 17:48:49 beck Exp $ */ +/* $OpenBSD: x509.h,v 1.2 2023/02/23 18:12:32 job Exp $ */ /* * Copyright (c) 2022 Bob Beck * @@ -105,6 +105,7 @@ LCRYPTO_USED(X509_TRUST_set); LCRYPTO_USED(X509_NAME_oneline); LCRYPTO_USED(X509_get0_extensions); LCRYPTO_USED(X509_get0_tbs_sigalg); +LCRYPTO_USED(X509_get0_uids); LCRYPTO_USED(X509_set_version); LCRYPTO_USED(X509_get_version); LCRYPTO_USED(X509_set_serialNumber); diff --git a/lib/libcrypto/man/X509V3_get_d2i.3 b/lib/libcrypto/man/X509V3_get_d2i.3 index 4e1a003365b..30f03c6395b 100644 --- a/lib/libcrypto/man/X509V3_get_d2i.3 +++ b/lib/libcrypto/man/X509V3_get_d2i.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509V3_get_d2i.3,v 1.19 2021/07/12 14:54:00 schwarze Exp $ +.\" $OpenBSD: X509V3_get_d2i.3,v 1.20 2023/02/23 18:12:32 job Exp $ .\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 12 2021 $ +.Dd $Mdocdate: February 23 2023 $ .Dt X509V3_GET_D2I 3 .Os .Sh NAME @@ -65,7 +65,8 @@ .Nm X509_REVOKED_add1_ext_i2d , .Nm X509_get0_extensions , .Nm X509_CRL_get0_extensions , -.Nm X509_REVOKED_get0_extensions +.Nm X509_REVOKED_get0_extensions , +.Nm X509_get0_uids .Nd X509 extension decode and encode functions .Sh SYNOPSIS .In openssl/x509v3.h @@ -151,6 +152,12 @@ .Fo X509_REVOKED_get0_extensions .Fa "const X509_REVOKED *r" .Fc +.Ft void +.Fo X509_get0_uids +.Fa "const X509 *x" +.Fa "const ASN1_BIT_STRING **piuid" +.Fa "const ASN1_BIT_STRING **psuid" +.Fc .Sh DESCRIPTION .Fn X509V3_get_d2i looks for an extension with OID @@ -300,6 +307,16 @@ if the extension is not found, occurs multiple times or cannot be decoded. It is possible to determine the precise reason by checking the value of .Pf * Fa crit . +.Pp +.Fn X509_get0_uids +sets +.Fa *piuid +and +.Fa *psuid +to the issuer and subject unique identifiers of certificate +.Fa x +or NULL if the fields are not present. +These fields are rarely used. .Sh SUPPORTED EXTENSIONS The following sections contain a list of all supported extensions including their name and NID. @@ -449,3 +466,7 @@ and .Fn X509_REVOKED_get0_extensions first appeared in OpenSSL 1.1.0 and have been available since .Ox 6.3 . +.Pp +.Fn X509_get0_uids +first appeared in OpenSSL 1.1.0 and has been available since +.Ox 7.3 . diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h index 4ecad066c16..e31f7182d34 100644 --- a/lib/libcrypto/x509/x509.h +++ b/lib/libcrypto/x509/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.92 2022/12/26 16:00:36 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.93 2023/02/23 18:12:32 job Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -771,6 +771,10 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, #endif const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); +#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API) +void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, + const ASN1_BIT_STRING **psuid); +#endif const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); int X509_set_version(X509 *x, long version); long X509_get_version(const X509 *x); diff --git a/lib/libcrypto/x509/x509_set.c b/lib/libcrypto/x509/x509_set.c index e65ffb3b4de..19e0f2b55f4 100644 --- a/lib/libcrypto/x509/x509_set.c +++ b/lib/libcrypto/x509/x509_set.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_set.c,v 1.23 2023/02/16 08:38:17 tb Exp $ */ +/* $OpenBSD: x509_set.c,v 1.24 2023/02/23 18:12:32 job Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -242,3 +242,14 @@ X509_get_X509_PUBKEY(const X509 *x) return x->cert_info->key; } LCRYPTO_ALIAS(X509_get_X509_PUBKEY); + +void +X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, + const ASN1_BIT_STRING **psuid) +{ + if (piuid != NULL) + *piuid = x->cert_info->issuerUID; + if (psuid != NULL) + *psuid = x->cert_info->subjectUID; +} +LCRYPTO_ALIAS(X509_get0_uids); -- 2.20.1