TrustedComputingGroup · JonathanWilbur · Dec 11, 2022 · Dec 11, 2022
diff --git a/crypto/x509/build.info b/crypto/x509/build.info
@@ -18,7 +18,7 @@ SOURCE[../../libcrypto]=\
         x509_acert.c t_acert.c x509aset.c x_ietfatt.c \
         v3_no_rev_avail.c v3_soa_id.c v3_no_ass.c v3_group_ac.c \
         v3_single_use.c v3_ac_tgt.c v3_audit_id.c v3_bacons.c v3_sda.c \
-        v3_usernotice.c x_unotice.c
+        v3_usernotice.c x_unotice.c x_iserial.c v3_authattid.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c

diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h
@@ -38,4 +38,5 @@ extern const X509V3_EXT_METHOD ossl_v3_subj_dir_attrs;
 extern const X509V3_EXT_METHOD ossl_v3_associated_info;
 extern const X509V3_EXT_METHOD ossl_v3_user_notice;
 extern const X509V3_EXT_METHOD ossl_v3_acc_cert_policies;
-extern const X509V3_EXT_METHOD ossl_v3_acc_priv_policies;
+extern const X509V3_EXT_METHOD ossl_v3_acc_priv_policies;
+extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier;
diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h
@@ -56,7 +56,6 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_policy_constraints,
     &ossl_v3_targeting_information,
     &ossl_v3_no_rev_avail,
-    &ossl_v3_acc_priv_policies,
 #ifndef OPENSSL_NO_OCSP
     &ossl_v3_crl_hold,
 #endif
@@ -77,14 +76,24 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_issuer_sign_tool,
     &ossl_v3_tls_feature,
     &ossl_v3_ext_admission,
+    &ossl_v3_authority_attribute_identifier,
+    // TODO: roleSpecCertIdentifier
     &ossl_v3_bacons,
     &ossl_v3_delegated_name_constraints,
+    // TODO: timeSpecification
+    // TODO: attributeDescriptor
     &ossl_v3_user_notice,
     &ossl_v3_soa_identifier,
     &ossl_v3_acc_cert_policies,
+    &ossl_v3_acc_priv_policies,
+    // TODO: indirectIssuer
     &ossl_v3_no_assertion,
+    // TODO: issuedOnBehalfOf
     &ossl_v3_single_use,
     &ossl_v3_group_ac,
+    // TODO: allowedAttributeAssignments
+    // TODO: attributeMappings
+    // TODO: holderNameConstraints
     &ossl_v3_associated_info,
 };
 

diff --git a/crypto/x509/v3_ac_tgt.c b/crypto/x509/v3_ac_tgt.c
@@ -17,9 +17,6 @@
 #include "x509_local.h"
 #include "crypto/asn1.h"
 
-static int i2r_ISSUER_SERIAL(X509V3_EXT_METHOD *method,
-                             ISSUER_SERIAL *iss,
-                             BIO *out, int indent);
 static int i2r_OBJECT_DIGEST_INFO(X509V3_EXT_METHOD *method,
                                   OBJECT_DIGEST_INFO *odi,
                                   BIO *out, int indent);
@@ -32,6 +29,9 @@ static int i2r_TARGET(X509V3_EXT_METHOD *method,
 static int i2r_TARGETING_INFORMATION(X509V3_EXT_METHOD *method,
                                      TARGETING_INFORMATION *tinfo,
                                      BIO *out, int indent);
+int i2r_ISSUER_SERIAL(X509V3_EXT_METHOD *method,
+                      ISSUER_SERIAL *iss,
+                      BIO *out, int indent);
 
 ASN1_SEQUENCE(ISSUER_SERIAL) = {
     ASN1_SIMPLE(ISSUER_SERIAL, issuer, GENERAL_NAMES),
@@ -73,30 +73,6 @@ IMPLEMENT_ASN1_FUNCTIONS(TARGET)
 IMPLEMENT_ASN1_FUNCTIONS(TARGETS)
 IMPLEMENT_ASN1_FUNCTIONS(TARGETING_INFORMATION)
 
-static int i2r_ISSUER_SERIAL(X509V3_EXT_METHOD *method,
-                             ISSUER_SERIAL *iss,
-                             BIO *out, int indent)
-{
-    if (iss->issuer != NULL) {
-        BIO_printf(out, "%*sIssuer Names:\n", indent, "");
-        ossl_print_gens(out, iss->issuer, indent);
-        BIO_puts(out, "\n");
-    }
-    if (iss->serial != NULL) {
-        BIO_printf(out, "%*sIssuer Serial: ", indent, "");
-        if (i2a_ASN1_INTEGER(out, iss->serial) <= 0)
-            return 0;
-        BIO_puts(out, "\n");
-    }
-    if (iss->issuerUID != NULL) {
-        BIO_printf(out, "%*sIssuer UID: ", indent, "");
-        if (i2a_ASN1_STRING(out, iss->issuerUID, V_ASN1_BIT_STRING) <= 0)
-            return 0;
-        BIO_puts(out, "\n");
-    }
-    return 1;
-}
-
 static int i2r_OBJECT_DIGEST_INFO(X509V3_EXT_METHOD *method,
                            OBJECT_DIGEST_INFO *odi,
                            BIO *out, int indent)

diff --git a/crypto/x509/v3_authattid.c b/crypto/x509/v3_authattid.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+#include "ext_dat.h"
+
+int i2r_ISSUER_SERIAL(X509V3_EXT_METHOD *method,
+                      ISSUER_SERIAL *iss,
+                      BIO *out, int indent);
+
+static int i2r_AUTHORITY_ATTRIBUTE_ID_SYNTAX(X509V3_EXT_METHOD *method,
+                                             AUTHORITY_ATTRIBUTE_ID_SYNTAX *aids,
+                                             BIO *out, int indent)
+{
+    int i;
+    ISSUER_SERIAL *aid;
+    for (i = 0; i < sk_ISSUER_SERIAL_num(aids); i++) {
+        BIO_printf(out, "%*sIssuer-Serials:\n", indent, "");
+        aid = sk_ISSUER_SERIAL_value(aids, i);
+        i2r_ISSUER_SERIAL(method, aid, out, indent + 4);
+        BIO_puts(out, "\n");
+    }
+    return 1;
+}
+
+ASN1_ITEM_TEMPLATE(AUTHORITY_ATTRIBUTE_ID_SYNTAX) =
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, AUTHORITY_ATTRIBUTE_ID_SYNTAX, ISSUER_SERIAL)
+ASN1_ITEM_TEMPLATE_END(AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier = {
+    NID_authority_attribute_identifier, 0,
+    ASN1_ITEM_ref(AUTHORITY_ATTRIBUTE_ID_SYNTAX),
+    0, 0, 0, 0,
+    0,
+    0,
+    0, 0,
+    (X509V3_EXT_I2R)i2r_AUTHORITY_ATTRIBUTE_ID_SYNTAX,
+    0,
+    NULL
+};
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
@@ -1364,7 +1364,7 @@ int ossl_print_gens(BIO *out, GENERAL_NAMES *gens, int indent)
     for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
         if (i > 0)
             BIO_puts(out, "\n");
-        BIO_printf(out, "%*s", indent + 2, "");
+        BIO_printf(out, "%*s", indent + 4, "");
         GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
     }
     return 1;

diff --git a/crypto/x509/x_iserial.c b/crypto/x509/x_iserial.c
@@ -0,0 +1,25 @@
+#include <openssl/x509v3.h>
+
+int i2r_ISSUER_SERIAL(X509V3_EXT_METHOD *method,
+                      ISSUER_SERIAL *iss,
+                      BIO *out, int indent)
+{
+    if (iss->issuer != NULL) {
+        BIO_printf(out, "%*sIssuer Names:\n", indent, "");
+        ossl_print_gens(out, iss->issuer, indent);
+        BIO_puts(out, "\n");
+    }
+    if (iss->serial != NULL) {
+        BIO_printf(out, "%*sIssuer Serial: ", indent, "");
+        if (i2a_ASN1_INTEGER(out, iss->serial) <= 0)
+            return 0;
+        BIO_puts(out, "\n");
+    }
+    if (iss->issuerUID != NULL) {
+        BIO_printf(out, "%*sIssuer UID: ", indent, "");
+        if (i2a_ASN1_STRING(out, iss->issuerUID, V_ASN1_BIT_STRING) <= 0)
+            return 0;
+        BIO_puts(out, "\n");
+    }
+    return 1;
+}
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
@@ -1035,6 +1035,13 @@ typedef struct ISSUER_SERIAL_st {
     ASN1_BIT_STRING *issuerUID;
 } ISSUER_SERIAL;
 
+typedef STACK_OF(ISSUER_SERIAL) AUTHORITY_ATTRIBUTE_ID_SYNTAX;
+DECLARE_ASN1_FUNCTIONS(AUTHORITY_ATTRIBUTE_ID_SYNTAX)
+
+{-
+    generate_stack_macros("ISSUER_SERIAL");
+-}
+
 #define ODI_TYPE_PUBLIC_KEY      0
 #define ODI_TYPE_PUBLIC_KEY_CERT 1
 #define ODI_TYPE_OTHER           2

diff --git a/test/certs/ext-authorityAttributeIdentifier.pem b/test/certs/ext-authorityAttributeIdentifier.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtDCCAaCgAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwODMxMDIy
+NDM1WhgPMjAyMTA4MzEwMjI0MzVaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB
+CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq
+nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir
+Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI
+qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06
+GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus
+pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABozswOTA3BgNVHSYEMDAuMCwwIKQe
+MBwxGjAYBgNVBAMMEVdpbGRib2FyIFNvZnR3YXJlAgQBAwUHAwIBsjALBgkqhkiG
+9w0BAQUDAQA=
+-----END CERTIFICATE-----
diff --git a/util/libcrypto.num b/util/libcrypto.num
@@ -5610,3 +5610,8 @@ i2d_USER_NOTICE_SYNTAX                  ?	3_2_0	EXIST::FUNCTION:
 USER_NOTICE_SYNTAX_free                 ?	3_2_0	EXIST::FUNCTION:
 USER_NOTICE_SYNTAX_new                  ?	3_2_0	EXIST::FUNCTION:
 USER_NOTICE_SYNTAX_it                   ?	3_2_0	EXIST::FUNCTION:
+d2i_AUTHORITY_ATTRIBUTE_ID_SYNTAX       ?	3_2_0	EXIST::FUNCTION:
+i2d_AUTHORITY_ATTRIBUTE_ID_SYNTAX       ?	3_2_0	EXIST::FUNCTION:
+AUTHORITY_ATTRIBUTE_ID_SYNTAX_free      ?	3_2_0	EXIST::FUNCTION:
+AUTHORITY_ATTRIBUTE_ID_SYNTAX_new       ?	3_2_0	EXIST::FUNCTION:
+AUTHORITY_ATTRIBUTE_ID_SYNTAX_it        ?	3_2_0	EXIST::FUNCTION: