x509_acert: Add and retrieve certificate extensions

Add API to manage attribute certificate extensions Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from #15857)
openssl · Apr 24, 2024 · 1eeec94 · 1eeec94
1 parent b97fb22
commit 1eeec94
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 4 deletions.
diff --git a/crypto/x509/x509_acert.c b/crypto/x509/x509_acert.c
@@ -242,3 +242,19 @@ int X509_ACERT_add1_attr_by_txt(X509_ACERT *x, const char *attrname, int type,
 
     return X509at_add1_attr_by_txt(attrs, attrname, type, bytes, len) != NULL;
 }
+
+void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx)
+{
+    return X509V3_get_d2i(x->acinfo->extensions, nid, crit, idx);
+}
+
+int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit,
+                            unsigned long flags)
+{
+    return X509V3_add1_i2d(&x->acinfo->extensions, nid, value, crit, flags);
+}
+
+const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509_ACERT *x)
+{
+    return x->acinfo->extensions;
+}
diff --git a/doc/man3/X509V3_get_d2i.pod b/doc/man3/X509V3_get_d2i.pod
@@ -4,9 +4,10 @@
 
 X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
 X509_get_ext_d2i, X509_add1_ext_i2d,
+X509_ACERT_get_ext_d2i, X509_ACERT_add1_ext_i2d,
 X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
 X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
-X509_get0_extensions, X509_CRL_get0_extensions,
+X509_get0_extensions, X509_ACERT_get0_extensions, X509_CRL_get0_extensions,
 X509_REVOKED_get0_extensions - X509 extension decode and encode functions
 
 =head1 SYNOPSIS
@@ -25,6 +26,10 @@ X509_REVOKED_get0_extensions - X509 extension decode and encode functions
  int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
                        unsigned long flags);
 
+ void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx);
+ int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit,
+                             unsigned long flags);
+
  void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
  int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
                            unsigned long flags);
@@ -34,6 +39,7 @@ X509_REVOKED_get0_extensions - X509 extension decode and encode functions
                                unsigned long flags);
 
  const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
+ const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509 *x);
  const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
  const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
 
@@ -64,6 +70,10 @@ X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of
 certificate I<x>. They are otherwise identical to X509V3_get_d2i() and
 X509V3_add1_i2d().
 
+X509_ACERT_get_ext_d2i() and X509_ACERT_add1_ext_i2d() operate on the extensions
+of B<X509_ACERT> structure I<x>. They are otherwise identical to X509V3_get_d2i()
+and X509V3_add1_i2d().
+
 X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions
 of CRL I<crl>. They are otherwise identical to X509V3_get_d2i() and
 X509V3_add1_i2d().
@@ -72,9 +82,10 @@ X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the
 extensions of B<X509_REVOKED> structure I<r> (i.e for CRL entry extensions).
 They are otherwise identical to X509V3_get_d2i() and X509V3_add1_i2d().
 
-X509_get0_extensions(), X509_CRL_get0_extensions() and
-X509_REVOKED_get0_extensions() return a STACK of all the extensions
-of a certificate, a CRL or a CRL entry respectively.
+X509_get0_extensions(), X509_ACERT_get0_extensions(),
+X509_CRL_get0_extensions() and X509_REVOKED_get0_extensions() return a
+STACK of all the extensions of a certificate, an attribute certificate,
+a CRL or a CRL entry respectively.
 
 =head1 NOTES
 

diff --git a/include/openssl/x509_acert.h.in b/include/openssl/x509_acert.h.in
@@ -77,6 +77,11 @@ int X509_ACERT_get_attr_by_OBJ(const X509_ACERT *x, const ASN1_OBJECT *obj,
 X509_ATTRIBUTE *X509_ACERT_get_attr(const X509_ACERT *x, int loc);
 X509_ATTRIBUTE *X509_ACERT_delete_attr(X509_ACERT *x, int loc);
 
+void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx);
+int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit,
+                            unsigned long flags);
+const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509_ACERT *x);
+
 # define OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY        0
 # define OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY_CERT   1
 # define OSSL_OBJECT_DIGEST_INFO_OTHER             2  /* must not be used in RFC 5755 profile */

diff --git a/util/libcrypto.num b/util/libcrypto.num
@@ -5615,3 +5615,6 @@ X509_ACERT_add1_attr_by_txt             ?	3_4_0	EXIST::FUNCTION:
 X509_ACERT_sign                         ?	3_4_0	EXIST::FUNCTION:
 X509_ACERT_sign_ctx                     ?	3_4_0	EXIST::FUNCTION:
 X509_ACERT_verify                       ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_get_ext_d2i                  ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_add1_ext_i2d                 ?	3_4_0	EXIST::FUNCTION:
+X509_ACERT_get0_extensions              ?	3_4_0	EXIST::FUNCTION: