Write new X509_ATTRIBUTE(3) manual page from scratch.

Both functions are listed in <openssl/x509.h> and in OpenSSL doc/man3/X509_dup.pod. OpenSSL documentation specifies the wrong header file. The design and use of this data type feels horrific. If you understand PKCS#8 or PKCS#10 and can explain why this was designed as it is, your contribution to this manual page is welcome.
author: schwarze <> 2016-12-17 14:51:09 +0000
committer: schwarze <> 2016-12-17 14:51:09 +0000
commit: f974ae969e821bbb92a8714ed0e77cf33487a2a8 (patch)
tree: a7e2a8bd34df838263152f958dd1f6c937f358d4 /src/lib
parent: b941a634e73204105b5df9d896333979d3c4a73f (diff)
download: openbsd-f974ae969e821bbb92a8714ed0e77cf33487a2a8.tar.gz
openbsd-f974ae969e821bbb92a8714ed0e77cf33487a2a8.tar.bz2
openbsd-f974ae969e821bbb92a8714ed0e77cf33487a2a8.zip
2 files changed, 101 insertions, 1 deletions
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 550b84104d..00460281c0 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.83 2016/12/17 01:08:14 schwarze Exp $
+# $OpenBSD: Makefile,v 1.84 2016/12/17 14:51:09 schwarze Exp $
 .include <bsd.own.mk>
@@ -177,6 +177,7 @@ MAN=	\
        UI_new.3 \
        X509V3_get_d2i.3 \
        X509_ALGOR_dup.3 \
+        X509_ATTRIBUTE_new.3 \
        X509_CINF_new.3 \
        X509_CRL_get0_by_serial.3 \
        X509_CRL_new.3 \
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
new file mode 100644
index 0000000000..1410bd5c78
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
@@ -0,0 +1,99 @@
+.\"     $OpenBSD: X509_ATTRIBUTE_new.3,v 1.1 2016/12/17 14:51:09 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 17 2016 $
+.Dt X509_ATTRIBUTE_NEW 3
+.Os
+.Sh NAME
+.Nm X509_ATTRIBUTE_new ,
+.Nm X509_ATTRIBUTE_free
+.\" In the following line, "X.501" and "Attribute" are not typos.
+.\" The "Attribute" type is defined in X.501, not in X.509.
+.\" The type in called "Attribute" with capital "A", not "attribute".
+.Nd generic X.501 Attribute
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft X509_ATTRIBUTE *
+.Fn X509_ATTRIBUTE_new void
+.Ft void
+.Fn X509_ATTRIBUTE_free "X509_ATTRIBUTE *attr"
+.Sh DESCRIPTION
+In the X.501 standard, an Attribute is the fundamental ASN.1 data type
+used to represent any kind of property of any kind of directory entry.
+In OpenSSL, very few objects use it directly, most notably the
+.Vt X509_REQ_INFO
+object used for PKCS#10 certification requests described in
+.Xr X509_REQ_new 3
+and the
+.Vt PKCS8_PRIV_KEY_INFO
+object used for PKCS#8 private key information described in
+.Xr PKCS8_PRIV_KEY_INFO_new 3 .
+.Pp
+.Fn X509_ATTRIBUTE_new
+allocates and initializes an empty
+.Vt X509_ATTRIBUTE
+object.
+.Fn X509_ATTRIBUTE_free
+frees
+.Fa attr .
+.Sh RETURN VALUES
+.Fn X509_ATTRIBUTE_new
+returns the new
+.Vt X509_ATTRIBUTE
+object or
+.Dv NULL
+if an error occurs.
+.Sh SEE ALSO
+.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
+.Xr X509_EXTENSION_new 3 ,
+.Xr X509_REQ_new 3
+.Sh STANDARDS
+.Bl -ohang
+.It For the general definition of the Attribute data type:
+ITU-T Recommendation X.501, also known as ISO/IEC 9594-2:
+Information Technology \(en Open Systems Interconnection \(en
+The Directory: Models, section 8.2: Overall structure
+.It For the specific definition in the context of certification requests:
+RFC 2986: PKCS #10: Certification Request Syntax Specification,
+section 4.1: CertificationRequestInfo
+.It For the specific use in the context of private key information:
+RFC 5208: Public-Key Cryptography Standards (PKCS) #8:
+Private-Key Information Syntax Specification
+.El
+.Sh BUGS
+A data type designed to hold arbitrary data is an oxymoron.
+.Pp
+While it may occasionally be useful for abstract syntax specification
+or for generic container objects, using it for the representation
+of specific data in a specific data structure feels like dubious
+design.
+.Pp
+Having two distinct data types to hold arbitrary data \(en
+in this case,
+.Vt X509_ATTRIBUTE
+on the X.501 language level and
+.Vt X509_EXTENSION
+as described in
+.Xr X509_EXTENSION_new 3
+on the X.509 language level \(en feels even more questionable,
+in particular considering that Attributes in certification requests
+can be used to ask for Extensions in certificates.
+.Pp
+At the very least, the direct use of the low-level generic
+.Vt X509_ATTRIBUTE
+type in specific data types like certification requests or private
+key information looks like a layering violation and appears to put
+type safety into jeopardy.
author	schwarze <>	2016-12-17 14:51:09 +0000
committer	schwarze <>	2016-12-17 14:51:09 +0000
commit	f974ae969e821bbb92a8714ed0e77cf33487a2a8 (patch)
tree	a7e2a8bd34df838263152f958dd1f6c937f358d4 /src/lib
parent	b941a634e73204105b5df9d896333979d3c4a73f (diff)
download	openbsd-f974ae969e821bbb92a8714ed0e77cf33487a2a8.tar.gz openbsd-f974ae969e821bbb92a8714ed0e77cf33487a2a8.tar.bz2 openbsd-f974ae969e821bbb92a8714ed0e77cf33487a2a8.zip

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index 550b84104d..00460281c0 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.83 2016/12/17 01:08:14 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.84 2016/12/17 14:51:09 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -177,6 +177,7 @@ MAN= \
177	UI_new.3 \	177	UI_new.3 \
178	X509V3_get_d2i.3 \	178	X509V3_get_d2i.3 \
179	X509_ALGOR_dup.3 \	179	X509_ALGOR_dup.3 \
		180	X509_ATTRIBUTE_new.3 \
180	X509_CINF_new.3 \	181	X509_CINF_new.3 \
181	X509_CRL_get0_by_serial.3 \	182	X509_CRL_get0_by_serial.3 \
182	X509_CRL_new.3 \	183	X509_CRL_new.3 \


diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3 new file mode 100644 index 0000000000..1410bd5c78 --- /dev/null +++ b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
@@ -0,0 +1,99 @@
		1	.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.1 2016/12/17 14:51:09 schwarze Exp $
		2	.\"
		3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
		4	.\"
		5	.\" Permission to use, copy, modify, and distribute this software for any
		6	.\" purpose with or without fee is hereby granted, provided that the above
		7	.\" copyright notice and this permission notice appear in all copies.
		8	.\"
		9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	.\"
		17	.Dd $Mdocdate: December 17 2016 $
		18	.Dt X509_ATTRIBUTE_NEW 3
		19	.Os
		20	.Sh NAME
		21	.Nm X509_ATTRIBUTE_new ,
		22	.Nm X509_ATTRIBUTE_free
		23	.\" In the following line, "X.501" and "Attribute" are not typos.
		24	.\" The "Attribute" type is defined in X.501, not in X.509.
		25	.\" The type in called "Attribute" with capital "A", not "attribute".
		26	.Nd generic X.501 Attribute
		27	.Sh SYNOPSIS
		28	.In openssl/x509.h
		29	.Ft X509_ATTRIBUTE *
		30	.Fn X509_ATTRIBUTE_new void
		31	.Ft void
		32	.Fn X509_ATTRIBUTE_free "X509_ATTRIBUTE *attr"
		33	.Sh DESCRIPTION
		34	In the X.501 standard, an Attribute is the fundamental ASN.1 data type
		35	used to represent any kind of property of any kind of directory entry.
		36	In OpenSSL, very few objects use it directly, most notably the
		37	.Vt X509_REQ_INFO
		38	object used for PKCS#10 certification requests described in
		39	.Xr X509_REQ_new 3
		40	and the
		41	.Vt PKCS8_PRIV_KEY_INFO
		42	object used for PKCS#8 private key information described in
		43	.Xr PKCS8_PRIV_KEY_INFO_new 3 .
		44	.Pp
		45	.Fn X509_ATTRIBUTE_new
		46	allocates and initializes an empty
		47	.Vt X509_ATTRIBUTE
		48	object.
		49	.Fn X509_ATTRIBUTE_free
		50	frees
		51	.Fa attr .
		52	.Sh RETURN VALUES
		53	.Fn X509_ATTRIBUTE_new
		54	returns the new
		55	.Vt X509_ATTRIBUTE
		56	object or
		57	.Dv NULL
		58	if an error occurs.
		59	.Sh SEE ALSO
		60	.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
		61	.Xr X509_EXTENSION_new 3 ,
		62	.Xr X509_REQ_new 3
		63	.Sh STANDARDS
		64	.Bl -ohang
		65	.It For the general definition of the Attribute data type:
		66	ITU-T Recommendation X.501, also known as ISO/IEC 9594-2:
		67	Information Technology \(en Open Systems Interconnection \(en
		68	The Directory: Models, section 8.2: Overall structure
		69	.It For the specific definition in the context of certification requests:
		70	RFC 2986: PKCS #10: Certification Request Syntax Specification,
		71	section 4.1: CertificationRequestInfo
		72	.It For the specific use in the context of private key information:
		73	RFC 5208: Public-Key Cryptography Standards (PKCS) #8:
		74	Private-Key Information Syntax Specification
		75	.El
		76	.Sh BUGS
		77	A data type designed to hold arbitrary data is an oxymoron.
		78	.Pp
		79	While it may occasionally be useful for abstract syntax specification
		80	or for generic container objects, using it for the representation
		81	of specific data in a specific data structure feels like dubious
		82	design.
		83	.Pp
		84	Having two distinct data types to hold arbitrary data \(en
		85	in this case,
		86	.Vt X509_ATTRIBUTE
		87	on the X.501 language level and
		88	.Vt X509_EXTENSION
		89	as described in
		90	.Xr X509_EXTENSION_new 3
		91	on the X.509 language level \(en feels even more questionable,
		92	in particular considering that Attributes in certification requests
		93	can be used to ask for Extensions in certificates.
		94	.Pp
		95	At the very least, the direct use of the low-level generic
		96	.Vt X509_ATTRIBUTE
		97	type in specific data types like certification requests or private
		98	key information looks like a layering violation and appears to put
		99	type safety into jeopardy.