root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Provide X509_CRL_get0_tbs_sigalg() 

X509_CRL_get0_tbs_sigalg() corresponds to X509_get0_tbs_sigalg() and
retrieves the AlgorithmIdentifier inside the TBSCertList which is not
currently accessible in any sane way from public API.

This PR adds X509_get0_tbs_sigalg() to the public API, documents it,
adds a simple regress check so there is coverage and mentions the
addition in CHANGES.md.

On top of that, fix a typo in .gitignore and clean up some order
inconsistencies in X509_get0_signature.pod.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27971)
This commit is contained in:
Theo Buehler 2025-07-06 13:55:52 +02:00 committed by Tomas Mraz
parent 13259a758a
commit 21f1b677d5
7 changed files with 34 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -93,7 +93,7 @@ providers/implementations/ciphers/ciphercommon.c
providers/implementations/ciphers/ciphercommon_ccm.c providers/implementations/ciphers/ciphercommon_ccm.c
providers/implementations/ciphers/ciphercommon_gcm.c providers/implementations/ciphers/ciphercommon_gcm.c
providers/implementations/ciphers/cipher_chacha20_poly1305.c providers/implementations/ciphers/cipher_chacha20_poly1305.c
providers/implementations/digest/digestcommon.c providers/implementations/digests/digestcommon.c
# error code files # error code files
/crypto/err/openssl.txt.old /crypto/err/openssl.txt.old

5
CHANGES.md
View File

@ -117,6 +117,11 @@ OpenSSL 3.6
*Dimitri John Ledkov* *Dimitri John Ledkov*
* Add X509_CRL_get0_tbs_sigalg() accessor for the signature AlgorithmIdentifier
inside a CRL's TBSCertList.
*Theo Buehler*
* HKDF with (SHA-256, SHA-384, SHA-512) has assigned OIDs. Added ability to load * HKDF with (SHA-256, SHA-384, SHA-512) has assigned OIDs. Added ability to load
HKDF configured with these explicit digests by name or OID. HKDF configured with these explicit digests by name or OID.

5
crypto/x509/x509cset.c
View File

@ -125,6 +125,11 @@ STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl)
return crl->crl.revoked; return crl->crl.revoked;
} }
const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_CRL *crl)
{
return &crl->crl.sig_alg;
}
void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg) const X509_ALGOR **palg)
{ {

20
doc/man3/X509_get0_signature.pod
View File

@ -5,9 +5,10 @@
X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo, X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo,
X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature,
X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid,
X509_CRL_get0_tbs_sigalg, X509_get_signature_info,
X509_SIG_INFO_get, X509_SIG_INFO_set,
X509_ACERT_get0_signature, X509_ACERT_get0_info_sigalg, X509_ACERT_get0_signature, X509_ACERT_get0_info_sigalg,
X509_ACERT_get_signature_nid, X509_get_signature_info, X509_ACERT_get_signature_nid - signature information
X509_SIG_INFO_get, X509_SIG_INFO_set - signature information
=head1 SYNOPSIS =head1 SYNOPSIS
@ -32,6 +33,7 @@ X509_SIG_INFO_get, X509_SIG_INFO_set - signature information
const ASN1_BIT_STRING **psig, const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg); const X509_ALGOR **palg);
int X509_CRL_get_signature_nid(const X509_CRL *crl); int X509_CRL_get_signature_nid(const X509_CRL *crl);
const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_crl *crl);
int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits, int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits,
uint32_t *flags); uint32_t *flags);
@ -56,8 +58,8 @@ pointers which B<MUST NOT> be freed up after the call.
X509_set0_signature() and X509_REQ_set1_signature_algo() are the X509_set0_signature() and X509_REQ_set1_signature_algo() are the
equivalent setters for the two values of X509_get0_signature(). equivalent setters for the two values of X509_get0_signature().
X509_get0_tbs_sigalg() returns the signature algorithm in the signed X509_get0_tbs_sigalg() and X509_CRL_get0_tbs_sigalg() return the signature
portion of B<x>. algorithm in the signed portion of the certificate or CRL.
X509_get_signature_nid() returns the NID corresponding to the signature X509_get_signature_nid() returns the NID corresponding to the signature
algorithm of B<x>. algorithm of B<x>.
@ -66,10 +68,6 @@ X509_REQ_get0_signature(), X509_REQ_get_signature_nid()
X509_CRL_get0_signature() and X509_CRL_get_signature_nid() perform the X509_CRL_get0_signature() and X509_CRL_get_signature_nid() perform the
same function for certificate requests and CRLs. same function for certificate requests and CRLs.
X509_ACERT_get0_signature(), X509_ACERT_get_signature_nid() and
X509_ACERT_get0_info_sigalg() perform the same function for attribute
certificates.
X509_get_signature_info() retrieves information about the signature of X509_get_signature_info() retrieves information about the signature of
certificate B<x>. The NID of the signing digest is written to B<*mdnid>, certificate B<x>. The NID of the signing digest is written to B<*mdnid>,
the public key algorithm to B<*pknid>, the effective security bits to the public key algorithm to B<*pknid>, the effective security bits to
@ -82,6 +80,10 @@ used by implementations of algorithms which need to set custom
signature information: most applications will never need to call signature information: most applications will never need to call
them. them.
X509_ACERT_get0_signature(), X509_ACERT_get_signature_nid() and
X509_ACERT_get0_info_sigalg() perform the same function for attribute
certificates.
=head1 NOTES =head1 NOTES
These functions provide lower level access to signatures in certificates These functions provide lower level access to signatures in certificates
@ -147,6 +149,8 @@ were added in OpenSSL 1.1.1e.
The X509_ACERT_get0_signature(), X509_ACERT_get0_info_sigalg() and The X509_ACERT_get0_signature(), X509_ACERT_get0_info_sigalg() and
X509_ACERT_get_signature_nid() functions were added in OpenSSL 3.4. X509_ACERT_get_signature_nid() functions were added in OpenSSL 3.4.
The X509_CRL_get0_tbs_sigalg() function was added in OpenSSL 3.6.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.

1
include/openssl/x509.h.in
View File

@ -761,6 +761,7 @@ OSSL_DEPRECATEDIN_1_1_0 ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_CRL *crl);
void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg); const X509_ALGOR **palg);
int X509_CRL_get_signature_nid(const X509_CRL *crl); int X509_CRL_get_signature_nid(const X509_CRL *crl);

9
test/crltest.c
View File

@ -335,6 +335,7 @@ static int test_basic_crl(void)
{ {
X509_CRL *basic_crl = CRL_from_strings(kBasicCRL); X509_CRL *basic_crl = CRL_from_strings(kBasicCRL);
X509_CRL *revoked_crl = CRL_from_strings(kRevokedCRL); X509_CRL *revoked_crl = CRL_from_strings(kRevokedCRL);
const X509_ALGOR *alg = NULL, *tbsalg;
int r; int r;
r = TEST_ptr(basic_crl) r = TEST_ptr(basic_crl)
@ -345,6 +346,14 @@ static int test_basic_crl(void)
&& TEST_int_eq(verify(test_leaf, test_root, && TEST_int_eq(verify(test_leaf, test_root,
make_CRL_stack(basic_crl, revoked_crl), make_CRL_stack(basic_crl, revoked_crl),
X509_V_FLAG_CRL_CHECK), X509_V_ERR_CERT_REVOKED); X509_V_FLAG_CRL_CHECK), X509_V_ERR_CERT_REVOKED);
if (r) {
X509_CRL_get0_signature(basic_crl, NULL, &alg);
tbsalg = X509_CRL_get0_tbs_sigalg(basic_crl);
r = TEST_ptr(alg)
&& TEST_ptr(tbsalg)
&& TEST_int_eq(X509_ALGOR_cmp(alg, tbsalg), 0);
}
X509_CRL_free(basic_crl); X509_CRL_free(basic_crl);
X509_CRL_free(revoked_crl); X509_CRL_free(revoked_crl);
return r; return r;

1
util/libcrypto.num
View File

@ -5929,3 +5929,4 @@ OPENSSL_sk_set_thunks ? 3_6_0 EXIST::FUNCTION:
i2d_PKCS8PrivateKey ? 3_6_0 EXIST::FUNCTION: i2d_PKCS8PrivateKey ? 3_6_0 EXIST::FUNCTION:
OSSL_PARAM_set_octet_string_or_ptr ? 3_6_0 EXIST::FUNCTION: OSSL_PARAM_set_octet_string_or_ptr ? 3_6_0 EXIST::FUNCTION:
OSSL_STORE_LOADER_settable_ctx_params ? 3_6_0 EXIST::FUNCTION: OSSL_STORE_LOADER_settable_ctx_params ? 3_6_0 EXIST::FUNCTION:
X509_CRL_get0_tbs_sigalg ? 3_6_0 EXIST::FUNCTION: