From ba539a43659d46be5767f3629998d4a3bef0809e Mon Sep 17 00:00:00 2001 From: kn Date: Sat, 16 Jul 2022 18:36:36 +0000 Subject: [PATCH] Add ESSCertIDv2 ASN.1 boilerplate Guard the new code under LIBRESSL_INTERNAL to defer symbol addition and minor library bump (thanks tb). ts/ts.h bits from RFC 5035 Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility ts/ts_asn1.c bits expanded from ASN1_SEQUENCE(ESS_CERT_ID_V2) = { ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR), ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING), ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL) } static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2) ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = { ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2), ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO) } static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) Feedback OK tb --- lib/libcrypto/ts/ts.h | 47 +++++++++++++- lib/libcrypto/ts/ts_asn1.c | 125 ++++++++++++++++++++++++++++++++++++- 2 files changed, 170 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/ts/ts.h b/lib/libcrypto/ts/ts.h index b2fe32bf771..6d4b2dd3a60 100644 --- a/lib/libcrypto/ts/ts.h +++ b/lib/libcrypto/ts/ts.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ts.h,v 1.12 2022/07/16 15:02:29 kn Exp $ */ +/* $OpenBSD: ts.h,v 1.13 2022/07/16 18:36:36 kn Exp $ */ /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL * project 2002, 2003, 2004. */ @@ -264,6 +264,34 @@ typedef struct ESS_signing_cert { STACK_OF(POLICYINFO) *policy_info; } ESS_SIGNING_CERT; +#ifdef LIBRESSL_INTERNAL +/* + * ESSCertIDv2 ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier + * DEFAULT {algorithm id-sha256}, + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL } + */ + +typedef struct ESS_cert_id_v2 { + X509_ALGOR *hash_alg; /* Default SHA-256. */ + ASN1_OCTET_STRING *hash; + ESS_ISSUER_SERIAL *issuer_serial; +} ESS_CERT_ID_V2; + +DECLARE_STACK_OF(ESS_CERT_ID_V2) + +/* + * SigningCertificateV2 ::= SEQUENCE { + * certs SEQUENCE OF ESSCertIDv2, + * policies SEQUENCE OF PolicyInformation OPTIONAL } + */ + +typedef struct ESS_signing_cert_v2 { + STACK_OF(ESS_CERT_ID_V2) *cert_ids; + STACK_OF(POLICYINFO) *policy_info; +} ESS_SIGNING_CERT_V2; +#endif /* LIBRESSL_INTERNAL */ TS_REQ *TS_REQ_new(void); void TS_REQ_free(TS_REQ *a); @@ -351,6 +379,23 @@ ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, const unsigned char **pp, long length); ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a); +#ifdef LIBRESSL_INTERNAL +ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void); +void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a); +int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp); +ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **pp, + long length); +ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a); + +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void); +void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a); +int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, + unsigned char **pp); +ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, + const unsigned char **pp, long length); +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a); +#endif /* LIBRESSL_INTERNAL */ + int TS_REQ_set_version(TS_REQ *a, long version); long TS_REQ_get_version(const TS_REQ *a); diff --git a/lib/libcrypto/ts/ts_asn1.c b/lib/libcrypto/ts/ts_asn1.c index bc89f1368af..c4316d13f84 100644 --- a/lib/libcrypto/ts/ts_asn1.c +++ b/lib/libcrypto/ts/ts_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_asn1.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_asn1.c,v 1.12 2022/07/16 18:36:36 kn Exp $ */ /* Written by Nils Larsch for the OpenSSL project 2004. */ /* ==================================================================== @@ -846,6 +846,129 @@ ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *x) return ASN1_item_dup(&ESS_SIGNING_CERT_it, x); } +static const ASN1_TEMPLATE ESS_CERT_ID_V2_seq_tt[] = { + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(ESS_CERT_ID_V2, hash_alg), + .field_name = "hash_alg", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(ESS_CERT_ID_V2, hash), + .field_name = "hash", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(ESS_CERT_ID_V2, issuer_serial), + .field_name = "issuer_serial", + .item = &ESS_ISSUER_SERIAL_it, + }, +}; + +static const ASN1_ITEM ESS_CERT_ID_V2_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = ESS_CERT_ID_V2_seq_tt, + .tcount = sizeof(ESS_CERT_ID_V2_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(ESS_CERT_ID_V2), + .sname = "ESS_CERT_ID_V2", +}; + +ESS_CERT_ID_V2 * +d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **in, long len) +{ + return (ESS_CERT_ID_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &ESS_CERT_ID_V2_it); +} + +int +i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_CERT_ID_V2_it); +} + +ESS_CERT_ID_V2 * +ESS_CERT_ID_V2_new(void) +{ + return (ESS_CERT_ID_V2 *)ASN1_item_new(&ESS_CERT_ID_V2_it); +} + +void +ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &ESS_CERT_ID_V2_it); +} + +ESS_CERT_ID_V2 * +ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *x) +{ + return ASN1_item_dup(&ESS_CERT_ID_V2_it, x); +} + +static const ASN1_TEMPLATE ESS_SIGNING_CERT_V2_seq_tt[] = { + { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = offsetof(ESS_SIGNING_CERT_V2, cert_ids), + .field_name = "cert_ids", + .item = &ESS_CERT_ID_V2_it, + }, + { + .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(ESS_SIGNING_CERT_V2, policy_info), + .field_name = "policy_info", + .item = &POLICYINFO_it, + }, +}; + +static const ASN1_ITEM ESS_SIGNING_CERT_V2_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = ESS_SIGNING_CERT_V2_seq_tt, + .tcount = sizeof(ESS_SIGNING_CERT_V2_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(ESS_SIGNING_CERT_V2), + .sname = "ESS_SIGNING_CERT_V2", +}; + +ESS_SIGNING_CERT_V2 * +d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, const unsigned char **in, long len) +{ + return (ESS_SIGNING_CERT_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &ESS_SIGNING_CERT_V2_it); +} + +int +i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_SIGNING_CERT_V2_it); +} + +ESS_SIGNING_CERT_V2 * +ESS_SIGNING_CERT_V2_new(void) +{ + return (ESS_SIGNING_CERT_V2 *)ASN1_item_new(&ESS_SIGNING_CERT_V2_it); +} + +void +ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &ESS_SIGNING_CERT_V2_it); +} + +ESS_SIGNING_CERT_V2 * +ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *x) +{ + return ASN1_item_dup(&ESS_SIGNING_CERT_V2_it, x); +} + /* Getting encapsulated TS_TST_INFO object from PKCS7. */ TS_TST_INFO * PKCS7_to_TS_TST_INFO(PKCS7 *token) -- 2.20.1