Introduce X509_get0_uids() accessor function

By introducing X509_get0_uids(), one can add RPKI profile compliance checks to conform the absence of the issuerUID and subjectUID. OK tb@ jsing@
author: job <> 2023-02-23 18:12:32 +0000
committer: job <> 2023-02-23 18:12:32 +0000
commit: 45e10d130dd01f514cf8227acec3008ab3fa9b98 (patch)
tree: a66ebeded65ea7f94fc6820531700d59a0ed41b5 /src
parent: 6ab4577bb02bca6266d48e06338bd309a6da761c (diff)
download: openbsd-45e10d130dd01f514cf8227acec3008ab3fa9b98.tar.gz
openbsd-45e10d130dd01f514cf8227acec3008ab3fa9b98.tar.bz2
openbsd-45e10d130dd01f514cf8227acec3008ab3fa9b98.zip
5 files changed, 44 insertions, 6 deletions
diff --git a/src/lib/libcrypto/Symbols.namespace b/src/lib/libcrypto/Symbols.namespace
index b4be562f6a..c68e8970de 100644
--- a/src/lib/libcrypto/Symbols.namespace
+++ b/src/lib/libcrypto/Symbols.namespace
@@ -341,6 +341,7 @@ _libre_X509_TRUST_set
 _libre_X509_NAME_oneline
 _libre_X509_get0_extensions
 _libre_X509_get0_tbs_sigalg
+_libre_X509_get0_uids
 _libre_X509_set_version
 _libre_X509_get_version
 _libre_X509_set_serialNumber
diff --git a/src/lib/libcrypto/hidden/openssl/x509.h b/src/lib/libcrypto/hidden/openssl/x509.h
index 59af41f917..cdd09b4062 100644
--- a/src/lib/libcrypto/hidden/openssl/x509.h
+++ b/src/lib/libcrypto/hidden/openssl/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.1 2022/11/14 17:48:49 beck Exp $ */
+/* $OpenBSD: x509.h,v 1.2 2023/02/23 18:12:32 job Exp $ */
 /*
 * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
 *
@@ -105,6 +105,7 @@ LCRYPTO_USED(X509_TRUST_set);
 LCRYPTO_USED(X509_NAME_oneline);
 LCRYPTO_USED(X509_get0_extensions);
 LCRYPTO_USED(X509_get0_tbs_sigalg);
+LCRYPTO_USED(X509_get0_uids);
 LCRYPTO_USED(X509_set_version);
 LCRYPTO_USED(X509_get_version);
 LCRYPTO_USED(X509_set_serialNumber);
diff --git a/src/lib/libcrypto/man/X509V3_get_d2i.3 b/src/lib/libcrypto/man/X509V3_get_d2i.3
index 4e1a003365..30f03c6395 100644
--- a/src/lib/libcrypto/man/X509V3_get_d2i.3
+++ b/src/lib/libcrypto/man/X509V3_get_d2i.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_get_d2i.3,v 1.19 2021/07/12 14:54:00 schwarze Exp $
+.\" $OpenBSD: X509V3_get_d2i.3,v 1.20 2023/02/23 18:12:32 job Exp $
 .\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 12 2021 $
+.Dd $Mdocdate: February 23 2023 $
 .Dt X509V3_GET_D2I 3
 .Os
 .Sh NAME
@@ -65,7 +65,8 @@
 .Nm X509_REVOKED_add1_ext_i2d ,
 .Nm X509_get0_extensions ,
 .Nm X509_CRL_get0_extensions ,
-.Nm X509_REVOKED_get0_extensions
+.Nm X509_REVOKED_get0_extensions ,
+.Nm X509_get0_uids
 .Nd X509 extension decode and encode functions
 .Sh SYNOPSIS
 .In openssl/x509v3.h
@@ -151,6 +152,12 @@
 .Fo X509_REVOKED_get0_extensions
 .Fa "const X509_REVOKED *r"
 .Fc
+.Ft void
+.Fo X509_get0_uids
+.Fa "const X509 *x"
+.Fa "const ASN1_BIT_STRING **piuid"
+.Fa "const ASN1_BIT_STRING **psuid"
+.Fc
 .Sh DESCRIPTION
 .Fn X509V3_get_d2i
 looks for an extension with OID
@@ -300,6 +307,16 @@ if the extension is not found, occurs multiple times or cannot be
 decoded.
 It is possible to determine the precise reason by checking the value of
 .Pf * Fa crit .
+.Pp
+.Fn X509_get0_uids
+sets
+.Fa *piuid
+and
+.Fa *psuid
+to the issuer and subject unique identifiers of certificate
+.Fa x
+or NULL if the fields are not present.
+These fields are rarely used.
 .Sh SUPPORTED EXTENSIONS
 The following sections contain a list of all supported extensions
 including their name and NID.
@@ -449,3 +466,7 @@ and
 .Fn X509_REVOKED_get0_extensions
 first appeared in OpenSSL 1.1.0 and have been available since
 .Ox 6.3 .
+.Pp
+.Fn X509_get0_uids
+first appeared in OpenSSL 1.1.0 and has been available since
+.Ox 7.3 .
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 4ecad066c1..e31f7182d3 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.92 2022/12/26 16:00:36 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.93 2023/02/23 18:12:32 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -771,6 +771,10 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
 #endif
 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
+#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API)
+void            X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
+                    const ASN1_BIT_STRING **psuid);
+#endif
 const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
 int             X509_set_version(X509 *x, long version);
 long            X509_get_version(const X509 *x);
diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
index e65ffb3b4d..19e0f2b55f 100644
--- a/src/lib/libcrypto/x509/x509_set.c
+++ b/src/lib/libcrypto/x509/x509_set.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_set.c,v 1.23 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_set.c,v 1.24 2023/02/23 18:12:32 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -242,3 +242,14 @@ X509_get_X509_PUBKEY(const X509 *x)
        return x->cert_info->key;
 }
 LCRYPTO_ALIAS(X509_get_X509_PUBKEY);
+void
+X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
+    const ASN1_BIT_STRING **psuid)
+{
+        if (piuid != NULL)
+                *piuid = x->cert_info->issuerUID;
+        if (psuid != NULL)
+                *psuid = x->cert_info->subjectUID;
+}
+LCRYPTO_ALIAS(X509_get0_uids);
author	job <>	2023-02-23 18:12:32 +0000
committer	job <>	2023-02-23 18:12:32 +0000
commit	45e10d130dd01f514cf8227acec3008ab3fa9b98 (patch)
tree	a66ebeded65ea7f94fc6820531700d59a0ed41b5 /src
parent	6ab4577bb02bca6266d48e06338bd309a6da761c (diff)
download	openbsd-45e10d130dd01f514cf8227acec3008ab3fa9b98.tar.gz openbsd-45e10d130dd01f514cf8227acec3008ab3fa9b98.tar.bz2 openbsd-45e10d130dd01f514cf8227acec3008ab3fa9b98.zip