Add attributeMappings extension

crypto/x509/build.info

@@ -19,7 +19,7 @@ SOURCE[../../libcrypto]=\
         v3_no_rev_avail.c v3_soa_id.c v3_no_ass.c v3_group_ac.c \
         v3_single_use.c v3_ac_tgt.c v3_audit_id.c v3_bacons.c v3_sda.c \
         v3_usernotice.c x_unotice.c x_iserial.c v3_authattid.c v3_iobo.c \
-        v3_aaa.c
+        v3_aaa.c v3_attrmap.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c

crypto/x509/ext_dat.h

@@ -41,4 +41,5 @@ extern const X509V3_EXT_METHOD ossl_v3_acc_cert_policies;
 extern const X509V3_EXT_METHOD ossl_v3_acc_priv_policies;
 extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier;
 extern const X509V3_EXT_METHOD ossl_v3_issued_on_behalf_of;
-extern const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments;
+extern const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments;
+extern const X509V3_EXT_METHOD ossl_v3_attribute_mappings;

crypto/x509/standard_exts.h

@@ -92,7 +92,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_single_use,
     &ossl_v3_group_ac,
     &ossl_v3_allowed_attribute_assignments,
-    // TODO: attributeMappings
+    &ossl_v3_attribute_mappings,
     // TODO: holderNameConstraints
     &ossl_v3_associated_info,
 };

crypto/x509/v3_attrmap.c

@@ -0,0 +1,100 @@
+/*
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include "ext_dat.h"
+
+ASN1_SEQUENCE(ATAV) = {
+    ASN1_SIMPLE(ATAV, type, ASN1_OBJECT),
+    ASN1_SIMPLE(ATAV, value, ASN1_ANY)
+} ASN1_SEQUENCE_END(ATAV)
+
+ASN1_SEQUENCE(ATTRIBUTE_TYPE_MAPPING) = {
+    ASN1_IMP(ATTRIBUTE_TYPE_MAPPING, local, ASN1_OBJECT, 0),
+    ASN1_IMP(ATTRIBUTE_TYPE_MAPPING, remote, ASN1_OBJECT, 1),
+} ASN1_SEQUENCE_END(ATTRIBUTE_TYPE_MAPPING)
+
+ASN1_SEQUENCE(ATTRIBUTE_VALUE_MAPPING) = {
+    ASN1_IMP(ATTRIBUTE_VALUE_MAPPING, local, ATAV, 0),
+    ASN1_IMP(ATTRIBUTE_VALUE_MAPPING, remote, ATAV, 1),
+} ASN1_SEQUENCE_END(ATTRIBUTE_VALUE_MAPPING)
+
+ASN1_CHOICE(ATTRIBUTE_MAPPING) = {
+    ASN1_IMP(ATTRIBUTE_MAPPING, choice.typeMappings, ATTRIBUTE_TYPE_MAPPING, ATTR_MAP_TYPE),
+    ASN1_IMP(ATTRIBUTE_MAPPING, choice.typeValueMappings, ATTRIBUTE_VALUE_MAPPING, ATTR_MAP_VALUE),
+} ASN1_CHOICE_END(ATTRIBUTE_MAPPING)
+
+ASN1_ITEM_TEMPLATE(ATTRIBUTE_MAPPINGS) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, ATTRIBUTE_MAPPINGS, ATTRIBUTE_MAPPING)
+ASN1_ITEM_TEMPLATE_END(ATTRIBUTE_MAPPINGS)
+
+IMPLEMENT_ASN1_FUNCTIONS(ATTRIBUTE_MAPPINGS)
+
+static int i2r_ATTRIBUTE_MAPPING(X509V3_EXT_METHOD *method,
+                                 ATTRIBUTE_MAPPING *am,
+                                 BIO *out, int indent)
+{
+    ASN1_OBJECT *local_type, *remote_type;
+    int local_attr_nid, remote_attr_nid;
+    ASN1_TYPE *local_val, *remote_val;
+    ASN1_STRING *local_str, *remote_str;
+
+    switch (am->type) {
+    case (ATTR_MAP_TYPE): {
+        i2a_ASN1_OBJECT(out, am->choice.typeMappings->local);
+        BIO_puts(out, " == ");
+        i2a_ASN1_OBJECT(out, am->choice.typeMappings->remote);
+        break;
+    }
+    case (ATTR_MAP_VALUE): {
+        local_type = am->choice.typeValueMappings->local->type;
+        remote_type = am->choice.typeValueMappings->remote->type;
+        local_val = am->choice.typeValueMappings->local->value;
+        remote_val = am->choice.typeValueMappings->remote->value;
+        local_attr_nid = OBJ_obj2nid(local_type);
+        remote_attr_nid = OBJ_obj2nid(remote_type);
+        print_attribute_value(out, local_attr_nid, local_val);
+        BIO_puts(out, " == ");
+        print_attribute_value(out, remote_attr_nid, remote_val);
+        break;
+    }
+    default: return 0;
+    }
+    return 1;
+}
+
+static int i2r_ATTRIBUTE_MAPPINGS(X509V3_EXT_METHOD *method,
+                                  ATTRIBUTE_MAPPINGS *ams,
+                                  BIO *out, int indent)
+{
+    int i;
+    ATTRIBUTE_MAPPING *am;
+    for (i = 0; i < sk_ATTRIBUTE_MAPPING_num(ams); i++) {
+        am = sk_ATTRIBUTE_MAPPING_value(ams, i);
+        BIO_printf(out, "%*s", indent, "");
+        i2r_ATTRIBUTE_MAPPING(method, am, out, indent + 4);
+        BIO_puts(out, "\n");
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD ossl_v3_attribute_mappings = {
+    NID_attribute_mappings, 0,
+    ASN1_ITEM_ref(ATTRIBUTE_MAPPINGS),
+    0, 0, 0, 0,
+    0, 0,
+    0,
+    0,
+    (X509V3_EXT_I2R)i2r_ATTRIBUTE_MAPPINGS,
+    0,
+    NULL
+};

crypto/x509/x_attrib.c

@@ -130,7 +130,7 @@ void print_attribute_value(BIO *out, int obj_nid, const ASN1_TYPE *av)
 
     case V_ASN1_INTEGER:
     case V_ASN1_ENUMERATED:
-        str = (ASN1_STRING *)&(av->value);
+        str = av->value.integer;
         ASN1_INTEGER_print_bio(out, str);
         break;
 

include/openssl/x509v3.h.in

@@ -1121,6 +1121,42 @@ DECLARE_ASN1_FUNCTIONS(ALLOWED_ATTRIBUTES_SYNTAX)
     generate_stack_macros("ALLOWED_ATTRIBUTES_ITEM");
 -}
 
+typedef struct atav_st {
+    ASN1_OBJECT *type;
+    ASN1_TYPE *value;
+} ATAV;
+
+typedef struct ATTRIBUTE_TYPE_MAPPING_st {
+    ASN1_OBJECT *local;
+    ASN1_OBJECT *remote;
+} ATTRIBUTE_TYPE_MAPPING;
+
+typedef struct ATTRIBUTE_VALUE_MAPPING_st {
+    ATAV *local;
+    ATAV *remote;
+} ATTRIBUTE_VALUE_MAPPING;
+
+#define ATTR_MAP_TYPE   0
+#define ATTR_MAP_VALUE  1
+
+typedef struct ATTRIBUTE_MAPPING_st {
+    int type;
+    union {
+        ATTRIBUTE_TYPE_MAPPING *typeMappings;
+        ATTRIBUTE_VALUE_MAPPING *typeValueMappings;
+    } choice;
+} ATTRIBUTE_MAPPING;
+
+typedef STACK_OF(ATTRIBUTE_MAPPING) ATTRIBUTE_MAPPINGS;
+DECLARE_ASN1_FUNCTIONS(ATTRIBUTE_TYPE_MAPPING)
+DECLARE_ASN1_FUNCTIONS(ATTRIBUTE_VALUE_MAPPING)
+DECLARE_ASN1_FUNCTIONS(ATTRIBUTE_MAPPING)
+DECLARE_ASN1_FUNCTIONS(ATTRIBUTE_MAPPINGS)
+
+{-
+    generate_stack_macros("ATTRIBUTE_MAPPING");
+-}
+
 # ifdef  __cplusplus
 }
 # endif

test/certs/ext-attributeMappings.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB1TCCAb+gAwIBAgIEDCI4TjANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDDAZI
+aSBtb20wIhgPMjAyMjEyMTIxOTM3MDhaGA8yMDIyMTIxMjE5MzcwOFowETEPMA0G
+A1UEAwwGSGkgbW9tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtnjL
+m1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmqnuGrBOUfgbmH
+3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWirGu0oDRzhWLHe
+1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqIqpOynJB02thX
+rTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06GkwLFJHNv2tU
++tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3VuspVz+6pU2xgl3
+nrAVMQHB4fReQPH0pQIDAQABozMwMTAvBgNVHUQEKDEmoAqAA1UEA4EDVQQHoRig
+CwYDVQQDDARhc2RmoQkGA1UEBwICAz4wDQYJKoZIhvcNAQEFBQADAQA=
+-----END CERTIFICATE-----

util/libcrypto.num

@@ -5630,3 +5630,23 @@ i2d_ALLOWED_ATTRIBUTES_SYNTAX           ?	3_2_0	EXIST::FUNCTION:
 ALLOWED_ATTRIBUTES_SYNTAX_free          ?	3_2_0	EXIST::FUNCTION:
 ALLOWED_ATTRIBUTES_SYNTAX_new           ?	3_2_0	EXIST::FUNCTION:
 ALLOWED_ATTRIBUTES_SYNTAX_it            ?	3_2_0	EXIST::FUNCTION:
+d2i_ATTRIBUTE_TYPE_MAPPING              ?	3_2_0	EXIST::FUNCTION:
+i2d_ATTRIBUTE_TYPE_MAPPING              ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_TYPE_MAPPING_free             ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_TYPE_MAPPING_new              ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_TYPE_MAPPING_it               ?	3_2_0	EXIST::FUNCTION:
+d2i_ATTRIBUTE_VALUE_MAPPING             ?	3_2_0	EXIST::FUNCTION:
+i2d_ATTRIBUTE_VALUE_MAPPING             ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_VALUE_MAPPING_free            ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_VALUE_MAPPING_new             ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_VALUE_MAPPING_it              ?	3_2_0	EXIST::FUNCTION:
+d2i_ATTRIBUTE_MAPPING                   ?	3_2_0	EXIST::FUNCTION:
+i2d_ATTRIBUTE_MAPPING                   ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_MAPPING_free                  ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_MAPPING_new                   ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_MAPPING_it                    ?	3_2_0	EXIST::FUNCTION:
+d2i_ATTRIBUTE_MAPPINGS                  ?	3_2_0	EXIST::FUNCTION:
+i2d_ATTRIBUTE_MAPPINGS                  ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_MAPPINGS_free                 ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_MAPPINGS_new                  ?	3_2_0	EXIST::FUNCTION:
+ATTRIBUTE_MAPPINGS_it                   ?	3_2_0	EXIST::FUNCTION: