openssl
feat: support the attributeDescriptor X.509v3 extension
Support the attributeDescriptor X.509v3 extension as defined in ITU-T Recommendation X.509. The syntax of this extension is:
attributeDescriptor EXTENSION ::= {
SYNTAX AttributeDescriptorSyntax
IDENTIFIED BY {id-ce-attributeDescriptor} }
AttributeDescriptorSyntax ::= SEQUENCE {
identifier AttributeIdentifier,
attributeSyntax OCTET STRING(SIZE (1..MAX)),
name [0] AttributeName OPTIONAL,
description [1] AttributeDescription OPTIONAL,
dominationRule PrivilegePolicyIdentifier,
... }
AttributeIdentifier ::= ATTRIBUTE.&id({AttributeIDs})
AttributeIDs ATTRIBUTE ::= {...}
AttributeName ::= UTF8String(SIZE (1..MAX))
AttributeDescription ::= UTF8String(SIZE (1..MAX))
PrivilegePolicyIdentifier ::= SEQUENCE {
privilegePolicy PrivilegePolicy,
privPolSyntax InfoSyntax,
... }
PrivilegePolicy ::= OBJECT IDENTIFIER
InfoSyntax ::= CHOICE {
content UnboundedDirectoryString,
pointer SEQUENCE {
name GeneralNames,
hash HASH{HashedPolicyInfo} OPTIONAL,
... },
... }
POLICY ::= TYPE-IDENTIFIER
HashedPolicyInfo ::= POLICY.&Type({Policies})
Checklist
- [ ] documentation is added or updated
- [ ] tests are added or updated
@t8m I fixed the merge conflicts introduced from merging in the roleSpecCertIdentifier X.509v3 extension, so this is ready for review again. @nhorman would you be interested in joining?
Here is the entire content of the output of ./apps/openssl x509 -in ./test/certs/ext-attributeDescriptor.pem -noout -text with this PR. @FdaSilvaYY hopefully this assuages your concern. I do visually check my PRs when I run them!
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 66051 (0x10203)
Signature Algorithm: sha1WithRSAEncryption
Issuer:
Validity
Not Before: Aug 31 01:07:09 2021 GMT
Not After : Aug 31 01:07:09 2021 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:78:cb:9b:5b:6c:d6:10:b8:7c:d3:6d:dd:49:
d0:0f:dc:bb:dd:b0:d7:82:2a:13:c9:66:12:23:77:
1a:fc:a3:5f:b9:3c:9d:8c:54:c4:60:09:aa:9e:e1:
ab:04:e5:1f:81:b9:87:dc:f4:50:d0:09:a9:aa:58:
e0:59:36:f7:77:72:bc:1f:85:05:bc:35:90:4c:f4:
92:db:52:0c:8e:6f:28:a9:dd:7d:9c:4e:46:c5:68:
ab:1a:ed:28:0d:1c:e1:58:b1:de:d5:16:7b:66:ba:
21:08:f8:3f:d4:e7:2c:cb:8e:d0:66:e2:b6:95:a1:
41:d2:b1:26:ad:15:81:98:46:1b:0e:5d:ff:c3:17:
f9:5d:fa:88:aa:93:b2:9c:90:74:da:d8:57:ad:30:
9c:4c:ce:d1:cf:51:6a:08:5b:7f:65:56:41:e6:12:
98:d9:2f:82:4d:d1:3d:38:85:4a:96:be:16:1c:c7:
ee:bd:46:1e:3a:3d:3a:1a:4c:0b:14:91:cd:bf:6b:
54:fa:da:2f:23:79:98:47:15:2e:63:85:2e:a6:44:
b7:30:2f:8e:b5:ec:bb:5c:a9:b5:3f:e2:0d:8d:65:
a8:7a:09:ba:88:20:2d:dd:5b:ac:a5:5c:fe:ea:95:
36:c6:09:77:9e:b0:15:31:01:c1:e1:f4:5e:40:f1:
f4:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Attribute Descriptor:
Identifier: 2.5.4.3
Syntax:
UnboundedDirectoryString
Name: commonName
Description: A general-purpose name
Domination Rule:
Privilege Policy Identifier: 2.5.4.10
Privilege Policy Syntax:
Pointer:
Names:
DirName:CN = Wildboar Software
Hash:
Algorithm: sha256
Hash Value:
Signature Algorithm: sha1WithRSAEncryption
Signature Value:
What about the empty line after the UnboundedDirectoryString line? Is that intentional?
What about the empty line after the
UnboundedDirectoryStringline? Is that intentional?
Yes, that was intentional. That field is expected to contain newlines of its own sometimes, so I wanted double newlines to more clearly resume the rest of the OpenSSL output.