Document X509v3_{addr,asid}_inherits(3)

Also note another bug in X509v3_asid_{canonize,is_canonical}(3).
author: tb <> 2023-09-26 20:42:45 +0000
committer: tb <> 2023-09-26 20:42:45 +0000
commit: 69bb4041f1907aa069bdef3c3f546e3d34b5470b (patch)
tree: b97d15e08bb4f538df6cfd69070f7d55ef5d434a /src
parent: 2fb34de3060792a0eb0a3d391d55a8644cbae70b (diff)
download: openbsd-69bb4041f1907aa069bdef3c3f546e3d34b5470b.tar.gz
openbsd-69bb4041f1907aa069bdef3c3f546e3d34b5470b.tar.bz2
openbsd-69bb4041f1907aa069bdef3c3f546e3d34b5470b.zip
6 files changed, 140 insertions, 5 deletions
diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3
index a67c54434c..613fd3ce80 100644
--- a/src/lib/libcrypto/man/ASIdentifiers_new.3
+++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASIdentifiers_new.3,v 1.5 2023/09/26 15:34:23 tb Exp $
+.\" $OpenBSD: ASIdentifiers_new.3,v 1.6 2023/09/26 20:42:45 tb Exp $
 .\"
 .\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
 .\"
@@ -113,6 +113,7 @@ or a value <= 0 if an error occurs.
 .Xr IPAddressRange_new 3 ,
 .Xr X509_new 3 ,
 .Xr X509v3_asid_add_id_or_range 3
+.Xr X509v3_asid_inherits 3
 .Sh STANDARDS
 RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
 .Bl -dash -compact
diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3
index 262cbd8c81..bee18bc0b4 100644
--- a/src/lib/libcrypto/man/IPAddressRange_new.3
+++ b/src/lib/libcrypto/man/IPAddressRange_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: IPAddressRange_new.3,v 1.2 2023/09/26 18:35:34 tb Exp $
+.\" $OpenBSD: IPAddressRange_new.3,v 1.3 2023/09/26 20:42:45 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -464,6 +464,7 @@ or a value <= 0 if an error occurs.
 .Xr crypto 3 ,
 .Xr X509_new 3 ,
 .Xr X509v3_addr_add_inherit 3 ,
+.Xr X509v3_addr_inherits 3
 .Sh STANDARDS
 RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
 .Bl -dash -compact
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 9ab2a34823..9bf40343e4 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.273 2023/09/26 18:35:34 tb Exp $
+# $OpenBSD: Makefile,v 1.274 2023/09/26 20:42:45 tb Exp $
 .include <bsd.own.mk>
@@ -394,6 +394,7 @@ MAN=	\
        X509at_get_attr.3 \
        X509v3_addr_add_inherit.3 \
        X509v3_addr_get_range.3 \
+        X509v3_addr_inherits.3 \
        X509v3_asid_add_id_or_range.3 \
        X509v3_asid_add_id_or_range.3 \
        X509v3_get_ext_by_NID.3 \
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index ebffc7e69b..dea1b256ce 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.40 2023/09/26 15:34:23 tb Exp $
+.\" $OpenBSD: X509_new.3,v 1.41 2023/09/26 20:42:45 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -243,6 +243,8 @@ if an error occurs.
 .Xr X509_STORE_new 3 ,
 .Xr X509_TRUST_set 3 ,
 .Xr X509v3_addr_add_inherit 3 ,
+.Xr X509v3_addr_get_range 3 ,
+.Xr X509v3_addr_inherits 3 ,
 .Xr X509v3_asid_add_id_or_range 3
 .Sh STANDARDS
 RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
diff --git a/src/lib/libcrypto/man/X509v3_addr_inherits.3 b/src/lib/libcrypto/man/X509v3_addr_inherits.3
new file mode 100644
index 0000000000..a8465afb38
--- /dev/null
+++ b/src/lib/libcrypto/man/X509v3_addr_inherits.3
@@ -0,0 +1,106 @@
+.\" $OpenBSD: X509v3_addr_inherits.3,v 1.1 2023/09/26 20:42:45 tb Exp $
+.\"
+.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: September 26 2023 $
+.Dt X509V3_ADDR_INHERITS 3
+.Os
+.Sh NAME
+.Nm X509v3_addr_inherits ,
+.Nm X509v3_asid_inherits
+.Nd inheritance for the IP address and AS number delegation extensions
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fn X509v3_addr_inherits "IPAddrBlocks *addrblocks"
+.Ft int
+.Fn X509v3_asid_inherits "ASIdentifiers *asids"
+.Sh DESCRIPTION
+.Fn X509v3_addr_inherits
+determines if there is at least one address family in
+.Fa addrblocks
+that uses inheritance.
+.Pp
+.Fn X509v3_asid_inherits
+is intended to determine if at least one of
+the list of autonomous system numbers or
+the list of routing domain identifiers
+uses inheritance.
+.Sh RETURN VALUES
+.Fn X509v3_addr_inherits
+returns 1 if and only if
+.Fa addrblocks
+contains at least one
+.Fa IPAddressFamily
+object that is correctly marked
+.Dq inherit :
+its
+.Fa IPAddressChoice
+is of
+.Fa type
+.Dv IPAddressChoice_inherit
+and its
+.Fa inherit
+element is present.
+Otherwise it returns 0.
+.Pp
+.Fn X509v3_asid_inherits
+returns 1 if and only if
+at least one of the
+.Fa asnum
+or the
+.Fa rdi
+lists has
+.Fa type
+.Dv ASIdentifierChoice_inherit .
+Otherwise
+.Fn X509v3_asid_inherits 3
+returns 0.
+.Sh SEE ALSO
+.Xr ASIdentifiers_new 3 ,
+.Xr ASRange_new 3 ,
+.Xr crypto 3 ,
+.Xr IPAddressRange_new 3 ,
+.Xr X509_new 3 ,
+.Xr X509v3_addr_add_inherit 3 ,
+.Xr X509v3_asid_add_inherit 3
+.Sh STANDARDS
+RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
+.Bl -dash -compact
+.It
+section 2: IP Address delegation extension
+.It
+section 2.2.3.5: Element inherit
+.It
+section 3: AS identifiers delegation extension
+.It
+section 3.2.3.3: Element inherit
+.El
+.Sh HISTORY
+These functions first appeared in OpenSSL 0.9.8e
+and have been available since
+.Ox 7.1 .
+.Sh BUGS
+.Fn X509v3_asid_inherits
+ignores whether the
+.Fa inherit
+is present or absent in the list that is considered to use inheritance.
+.Pp
+There is no API that determines whether all lists contained in an
+.Vt ASIdentifiers
+or an
+.Vt IPAddrBlocks
+objects inherit.
+See RFC 9287, 5.1.2 for an example where this is relevant.
diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
index 272acc31e2..6d554e6a20 100644
--- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
+++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.3 2023/09/26 08:56:18 tb Exp $
+.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.4 2023/09/26 20:42:45 tb Exp $
 .\"
 .\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -297,3 +297,27 @@ does not prefer either representation over the other.
 The encodings of the two representations produced by
 .Xr i2d_ASIdentifiers 3
 are distinct.
+.Pp
+.Fn X509v3_asid_is_canonical
+does not fully check inheriting lists to be well formed.
+It only checks the
+.Fa type
+to be
+.Dv ASIdentifierChoice_inherit
+and ignores the presence or absence of the
+.Fa inherit
+element.
+.Fn X509v3_asid_canonize
+does not fix that up.
+This can lead to incorrect or unexpected DER encoding of
+.Dq canonical
+.Vt ASIdentifiers
+objects.
+In particular, it is possible to construct an
+.Vt ASIdentifiers
+object for which both
+.Fn X509v3_asid_is_canonical
+and
+.Xr X509v3_asid_inherits 3
+return 1, and after a round trip through DER the latter
+returns 0.
author	tb <>	2023-09-26 20:42:45 +0000
committer	tb <>	2023-09-26 20:42:45 +0000
commit	69bb4041f1907aa069bdef3c3f546e3d34b5470b (patch)
tree	b97d15e08bb4f538df6cfd69070f7d55ef5d434a /src
parent	2fb34de3060792a0eb0a3d391d55a8644cbae70b (diff)
download	openbsd-69bb4041f1907aa069bdef3c3f546e3d34b5470b.tar.gz openbsd-69bb4041f1907aa069bdef3c3f546e3d34b5470b.tar.bz2 openbsd-69bb4041f1907aa069bdef3c3f546e3d34b5470b.zip

diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3 index a67c54434c..613fd3ce80 100644 --- a/src/lib/libcrypto/man/ASIdentifiers_new.3 +++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ASIdentifiers_new.3,v 1.5 2023/09/26 15:34:23 tb Exp $	1	.\" $OpenBSD: ASIdentifiers_new.3,v 1.6 2023/09/26 20:42:45 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -113,6 +113,7 @@ or a value <= 0 if an error occurs.
113	.Xr IPAddressRange_new 3 ,	113	.Xr IPAddressRange_new 3 ,
114	.Xr X509_new 3 ,	114	.Xr X509_new 3 ,
115	.Xr X509v3_asid_add_id_or_range 3	115	.Xr X509v3_asid_add_id_or_range 3
		116	.Xr X509v3_asid_inherits 3
116	.Sh STANDARDS	117	.Sh STANDARDS
117	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:	118	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
118	.Bl -dash -compact	119	.Bl -dash -compact


diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3 index 262cbd8c81..bee18bc0b4 100644 --- a/src/lib/libcrypto/man/IPAddressRange_new.3 +++ b/src/lib/libcrypto/man/IPAddressRange_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: IPAddressRange_new.3,v 1.2 2023/09/26 18:35:34 tb Exp $	1	.\" $OpenBSD: IPAddressRange_new.3,v 1.3 2023/09/26 20:42:45 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -464,6 +464,7 @@ or a value <= 0 if an error occurs.
464	.Xr crypto 3 ,	464	.Xr crypto 3 ,
465	.Xr X509_new 3 ,	465	.Xr X509_new 3 ,
466	.Xr X509v3_addr_add_inherit 3 ,	466	.Xr X509v3_addr_add_inherit 3 ,
		467	.Xr X509v3_addr_inherits 3
467	.Sh STANDARDS	468	.Sh STANDARDS
468	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:	469	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
469	.Bl -dash -compact	470	.Bl -dash -compact


diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index 9ab2a34823..9bf40343e4 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.273 2023/09/26 18:35:34 tb Exp $	1	# $OpenBSD: Makefile,v 1.274 2023/09/26 20:42:45 tb Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -394,6 +394,7 @@ MAN= \
394	X509at_get_attr.3 \	394	X509at_get_attr.3 \
395	X509v3_addr_add_inherit.3 \	395	X509v3_addr_add_inherit.3 \
396	X509v3_addr_get_range.3 \	396	X509v3_addr_get_range.3 \
		397	X509v3_addr_inherits.3 \
397	X509v3_asid_add_id_or_range.3 \	398	X509v3_asid_add_id_or_range.3 \
398	X509v3_asid_add_id_or_range.3 \	399	X509v3_asid_add_id_or_range.3 \
399	X509v3_get_ext_by_NID.3 \	400	X509v3_get_ext_by_NID.3 \


diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3 index ebffc7e69b..dea1b256ce 100644 --- a/src/lib/libcrypto/man/X509_new.3 +++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_new.3,v 1.40 2023/09/26 15:34:23 tb Exp $	1	.\" $OpenBSD: X509_new.3,v 1.41 2023/09/26 20:42:45 tb Exp $
2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
@@ -243,6 +243,8 @@ if an error occurs.
243	.Xr X509_STORE_new 3 ,	243	.Xr X509_STORE_new 3 ,
244	.Xr X509_TRUST_set 3 ,	244	.Xr X509_TRUST_set 3 ,
245	.Xr X509v3_addr_add_inherit 3 ,	245	.Xr X509v3_addr_add_inherit 3 ,
		246	.Xr X509v3_addr_get_range 3 ,
		247	.Xr X509v3_addr_inherits 3 ,
246	.Xr X509v3_asid_add_id_or_range 3	248	.Xr X509v3_asid_add_id_or_range 3
247	.Sh STANDARDS	249	.Sh STANDARDS
248	RFC 5280: Internet X.509 Public Key Infrastructure Certificate and	250	RFC 5280: Internet X.509 Public Key Infrastructure Certificate and


diff --git a/src/lib/libcrypto/man/X509v3_addr_inherits.3 b/src/lib/libcrypto/man/X509v3_addr_inherits.3 new file mode 100644 index 0000000000..a8465afb38 --- /dev/null +++ b/src/lib/libcrypto/man/X509v3_addr_inherits.3
@@ -0,0 +1,106 @@
		1	.\" $OpenBSD: X509v3_addr_inherits.3,v 1.1 2023/09/26 20:42:45 tb Exp $
		2	.\"
		3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
		4	.\"
		5	.\" Permission to use, copy, modify, and distribute this software for any
		6	.\" purpose with or without fee is hereby granted, provided that the above
		7	.\" copyright notice and this permission notice appear in all copies.
		8	.\"
		9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	.\"
		17	.Dd $Mdocdate: September 26 2023 $
		18	.Dt X509V3_ADDR_INHERITS 3
		19	.Os
		20	.Sh NAME
		21	.Nm X509v3_addr_inherits ,
		22	.Nm X509v3_asid_inherits
		23	.Nd inheritance for the IP address and AS number delegation extensions
		24	.Sh SYNOPSIS
		25	.In openssl/x509v3.h
		26	.Ft int
		27	.Fn X509v3_addr_inherits "IPAddrBlocks *addrblocks"
		28	.Ft int
		29	.Fn X509v3_asid_inherits "ASIdentifiers *asids"
		30	.Sh DESCRIPTION
		31	.Fn X509v3_addr_inherits
		32	determines if there is at least one address family in
		33	.Fa addrblocks
		34	that uses inheritance.
		35	.Pp
		36	.Fn X509v3_asid_inherits
		37	is intended to determine if at least one of
		38	the list of autonomous system numbers or
		39	the list of routing domain identifiers
		40	uses inheritance.
		41	.Sh RETURN VALUES
		42	.Fn X509v3_addr_inherits
		43	returns 1 if and only if
		44	.Fa addrblocks
		45	contains at least one
		46	.Fa IPAddressFamily
		47	object that is correctly marked
		48	.Dq inherit :
		49	its
		50	.Fa IPAddressChoice
		51	is of
		52	.Fa type
		53	.Dv IPAddressChoice_inherit
		54	and its
		55	.Fa inherit
		56	element is present.
		57	Otherwise it returns 0.
		58	.Pp
		59	.Fn X509v3_asid_inherits
		60	returns 1 if and only if
		61	at least one of the
		62	.Fa asnum
		63	or the
		64	.Fa rdi
		65	lists has
		66	.Fa type
		67	.Dv ASIdentifierChoice_inherit .
		68	Otherwise
		69	.Fn X509v3_asid_inherits 3
		70	returns 0.
		71	.Sh SEE ALSO
		72	.Xr ASIdentifiers_new 3 ,
		73	.Xr ASRange_new 3 ,
		74	.Xr crypto 3 ,
		75	.Xr IPAddressRange_new 3 ,
		76	.Xr X509_new 3 ,
		77	.Xr X509v3_addr_add_inherit 3 ,
		78	.Xr X509v3_asid_add_inherit 3
		79	.Sh STANDARDS
		80	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
		81	.Bl -dash -compact
		82	.It
		83	section 2: IP Address delegation extension
		84	.It
		85	section 2.2.3.5: Element inherit
		86	.It
		87	section 3: AS identifiers delegation extension
		88	.It
		89	section 3.2.3.3: Element inherit
		90	.El
		91	.Sh HISTORY
		92	These functions first appeared in OpenSSL 0.9.8e
		93	and have been available since
		94	.Ox 7.1 .
		95	.Sh BUGS
		96	.Fn X509v3_asid_inherits
		97	ignores whether the
		98	.Fa inherit
		99	is present or absent in the list that is considered to use inheritance.
		100	.Pp
		101	There is no API that determines whether all lists contained in an
		102	.Vt ASIdentifiers
		103	or an
		104	.Vt IPAddrBlocks
		105	objects inherit.
		106	See RFC 9287, 5.1.2 for an example where this is relevant.


diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 index 272acc31e2..6d554e6a20 100644 --- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 +++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.3 2023/09/26 08:56:18 tb Exp $	1	.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.4 2023/09/26 20:42:45 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -297,3 +297,27 @@ does not prefer either representation over the other.
297	The encodings of the two representations produced by	297	The encodings of the two representations produced by
298	.Xr i2d_ASIdentifiers 3	298	.Xr i2d_ASIdentifiers 3
299	are distinct.	299	are distinct.
		300	.Pp
		301	.Fn X509v3_asid_is_canonical
		302	does not fully check inheriting lists to be well formed.
		303	It only checks the
		304	.Fa type
		305	to be
		306	.Dv ASIdentifierChoice_inherit
		307	and ignores the presence or absence of the
		308	.Fa inherit
		309	element.
		310	.Fn X509v3_asid_canonize
		311	does not fix that up.
		312	This can lead to incorrect or unexpected DER encoding of
		313	.Dq canonical
		314	.Vt ASIdentifiers
		315	objects.
		316	In particular, it is possible to construct an
		317	.Vt ASIdentifiers
		318	object for which both
		319	.Fn X509v3_asid_is_canonical
		320	and
		321	.Xr X509v3_asid_inherits 3
		322	return 1, and after a round trip through DER the latter
		323	returns 0.