Issuer Sign Tool extention support

Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11216)

4 files changed, 152 insertions, 1 deletions

diff --git a/crypto/x509/build.info b/crypto/x509/build.info
index c836ef1c2e..04b63d0bc3 100644
--- a/crypto/x509/build.info
+++ b/crypto/x509/build.info
@@ -12,6 +12,6 @@ SOURCE[../../libcrypto]=\
         v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
         v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c \
         v3_info.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c \
-        v3_pcia.c v3_pci.c \
+        v3_pcia.c v3_pci.c v3_ist.c \
         pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
         v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c
diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h
index 4329c44065..b2fecaa165 100644
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@@ -24,3 +24,4 @@ extern const X509V3_EXT_METHOD v3_ct_scts[3];
 extern const X509V3_EXT_METHOD v3_tls_feature;
 extern const X509V3_EXT_METHOD v3_ext_admission;
 extern const X509V3_EXT_METHOD v3_utf8_list[1];
+extern const X509V3_EXT_METHOD v3_issuer_sign_tool;
diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h
index d66b6554f1..18f2c32485 100644
--- a/crypto/x509/standard_exts.h
+++ b/crypto/x509/standard_exts.h
@@ -69,6 +69,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &v3_ct_scts[2],
 #endif
     &v3_utf8_list[0],
+    &v3_issuer_sign_tool,
     &v3_tls_feature,
     &v3_ext_admission
 };
diff --git a/crypto/x509/v3_ist.c b/crypto/x509/v3_ist.c
new file mode 100644
index 0000000000..6db4f19913
--- /dev/null
+++ b/crypto/x509/v3_ist.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include "ext_dat.h"
+
+/*
+ * Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
+ * This extention is required to obtain the status of a qualified certificate at Russian Federation.
+ * RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
+ * Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/
+ */
+
+ASN1_SEQUENCE(ISSUER_SIGN_TOOL) = {
+        ASN1_SIMPLE(ISSUER_SIGN_TOOL, signTool, ASN1_UTF8STRING),
+        ASN1_SIMPLE(ISSUER_SIGN_TOOL, cATool, ASN1_UTF8STRING),
+        ASN1_SIMPLE(ISSUER_SIGN_TOOL, signToolCert, ASN1_UTF8STRING),
+        ASN1_SIMPLE(ISSUER_SIGN_TOOL, cAToolCert, ASN1_UTF8STRING)
+} ASN1_SEQUENCE_END(ISSUER_SIGN_TOOL)
+
+IMPLEMENT_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
+
+
+static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                        STACK_OF(CONF_VALUE) *nval)
+{
+    ISSUER_SIGN_TOOL *ist = ISSUER_SIGN_TOOL_new();
+    int i;
+
+    if (ist == NULL) {
+        X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    for (i = 0; i < sk_CONF_VALUE_num(nval); ++i) {
+        CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
+
+        if (cnf == NULL) {
+            continue;
+        }
+        if (strcmp(cnf->name, "signTool") == 0) {
+            ist->signTool = ASN1_UTF8STRING_new();
+            if (ist->signTool == NULL) {
+                X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+                ISSUER_SIGN_TOOL_free(ist);
+                return NULL;
+            }
+            ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value));
+        } else if (strcmp(cnf->name, "cATool") == 0) {
+            ist->cATool = ASN1_UTF8STRING_new();
+            if (ist->cATool == NULL) {
+                X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+                ISSUER_SIGN_TOOL_free(ist);
+                return NULL;
+            }
+            ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value));
+        } else if (strcmp(cnf->name, "signToolCert") == 0) {
+            ist->signToolCert = ASN1_UTF8STRING_new();
+            if (ist->signToolCert == NULL) {
+                X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+                ISSUER_SIGN_TOOL_free(ist);
+                return NULL;
+            }
+            ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value));
+        } else if (strcmp(cnf->name, "cAToolCert") == 0) {
+            ist->cAToolCert = ASN1_UTF8STRING_new();
+            if (ist->cAToolCert == NULL) {
+                X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+                ISSUER_SIGN_TOOL_free(ist);
+                return NULL;
+            }
+            ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value));
+        } else {
+            X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_PASSED_INVALID_ARGUMENT);
+            ISSUER_SIGN_TOOL_free(ist);
+            return NULL;
+        }
+    }
+    return ist;
+}
+
+static int i2r_issuer_sign_tool(X509V3_EXT_METHOD *method,
+                                 ISSUER_SIGN_TOOL *ist, BIO *out,
+                                 int indent)
+{
+    int new_line = 0;
+
+    if (ist == NULL) {
+        X509V3err(X509V3_F_I2R_ISSUER_SIGN_TOOL, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+    if (ist->signTool != NULL) {
+        if (new_line == 1) {
+            BIO_write(out, "\n", 1);
+        }
+        BIO_printf(out, "%*ssignTool    : ", indent, "");
+        BIO_write(out, ist->signTool->data, ist->signTool->length);
+        new_line = 1;
+    }
+    if (ist->cATool != NULL) {
+        if (new_line == 1) {
+            BIO_write(out, "\n", 1);
+        }
+        BIO_printf(out, "%*scATool      : ", indent, "");
+        BIO_write(out, ist->cATool->data, ist->cATool->length);
+        new_line = 1;
+    }
+    if (ist->signToolCert != NULL) {
+        if (new_line == 1) {
+            BIO_write(out, "\n", 1);
+        }
+        BIO_printf(out, "%*ssignToolCert: ", indent, "");
+        BIO_write(out, ist->signToolCert->data, ist->signToolCert->length);
+        new_line = 1;
+    }
+    if (ist->cAToolCert != NULL) {
+        if (new_line == 1) {
+            BIO_write(out, "\n", 1);
+        }
+        BIO_printf(out, "%*scAToolCert  : ", indent, "");
+        BIO_write(out, ist->cAToolCert->data, ist->cAToolCert->length);
+        new_line = 1;
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD v3_issuer_sign_tool = {
+    NID_issuerSignTool,                   /* nid */
+    X509V3_EXT_MULTILINE,                 /* flags */
+    ASN1_ITEM_ref(ISSUER_SIGN_TOOL),      /* template */
+    0, 0, 0, 0,                           /* old functions, ignored */
+    0,                                    /* i2s */
+    0,                                    /* s2i */
+    0,                                    /* i2v */
+    (X509V3_EXT_V2I)v2i_issuer_sign_tool, /* v2i */
+    (X509V3_EXT_I2R)i2r_issuer_sign_tool, /* i2r */
+    0,                                    /* r2i */
+    NULL                                  /* extension-specific data */
+};