Add IETFAttrSyntax type support

The IETFAtrrSyntax type is used for the values of several attributes
defined in RFC 5755 for use with attribute certificates.
Specifically this type is used with the "Charging Identity" and
"Group" attributes.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15857)

2 files changed, 241 insertions, 1 deletions

diff --git a/crypto/x509/build.info b/crypto/x509/build.info
index 873a9838b5..6cebadea77 100644
--- a/crypto/x509/build.info
+++ b/crypto/x509/build.info
@@ -16,7 +16,7 @@ SOURCE[../../libcrypto]=\
         pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
         v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c v3_no_rev_avail.c \
         v3_soa_id.c v3_no_ass.c v3_group_ac.c v3_single_use.c v3_ind_iss.c \
-        x509_acert.c x509aset.c t_acert.c
+        x509_acert.c x509aset.c t_acert.c x_ietfatt.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c
diff --git a/crypto/x509/x_ietfatt.c b/crypto/x509/x_ietfatt.c
new file mode 100644
index 0000000000..08db0bafc7
--- /dev/null
+++ b/crypto/x509/x_ietfatt.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/err.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509_acert.h>
+
+/*-
+ * Definition of IetfAttrSyntax from RFC 5755 4.4
+ *
+ * IetfAttrSyntax ::= SEQUENCE {
+ *   policyAuthority [0] GeneralNames    OPTIONAL,
+ *   values          SEQUENCE OF CHOICE {
+ *                     octets    OCTET STRING,
+ *                     oid       OBJECT IDENTIFIER,
+ *                     string    UTF8String
+ *                   }
+ * }
+ *
+ * Section 4.4.2 states that all values in the sequence MUST use the
+ * same choice of value (octet, oid or string).
+ */
+
+struct OSSL_IETF_ATTR_SYNTAX_VALUE_st {
+    int type;
+    union {
+        ASN1_OCTET_STRING *octets;
+        ASN1_OBJECT *oid;
+        ASN1_UTF8STRING *string;
+    } u;
+};
+
+struct OSSL_IETF_ATTR_SYNTAX_st {
+    GENERAL_NAMES *policyAuthority;
+    int type;
+    STACK_OF(OSSL_IETF_ATTR_SYNTAX_VALUE) *values;
+};
+
+ASN1_CHOICE(OSSL_IETF_ATTR_SYNTAX_VALUE) = {
+    ASN1_SIMPLE(OSSL_IETF_ATTR_SYNTAX_VALUE, u.octets, ASN1_OCTET_STRING),
+    ASN1_SIMPLE(OSSL_IETF_ATTR_SYNTAX_VALUE, u.oid, ASN1_OBJECT),
+    ASN1_SIMPLE(OSSL_IETF_ATTR_SYNTAX_VALUE, u.string, ASN1_UTF8STRING),
+} ASN1_CHOICE_END(OSSL_IETF_ATTR_SYNTAX_VALUE)
+
+ASN1_SEQUENCE(OSSL_IETF_ATTR_SYNTAX) = {
+    ASN1_IMP_SEQUENCE_OF_OPT(OSSL_IETF_ATTR_SYNTAX, policyAuthority, GENERAL_NAME, 0),
+    ASN1_SEQUENCE_OF(OSSL_IETF_ATTR_SYNTAX, values, OSSL_IETF_ATTR_SYNTAX_VALUE),
+} ASN1_SEQUENCE_END(OSSL_IETF_ATTR_SYNTAX)
+
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OSSL_IETF_ATTR_SYNTAX)
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OSSL_IETF_ATTR_SYNTAX_VALUE)
+
+OSSL_IETF_ATTR_SYNTAX *d2i_OSSL_IETF_ATTR_SYNTAX (OSSL_IETF_ATTR_SYNTAX **a,
+                                                  const unsigned char **in,
+                                                  long len)
+{
+    OSSL_IETF_ATTR_SYNTAX *ias;
+    int i;
+
+    ias = (OSSL_IETF_ATTR_SYNTAX *) ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+                                                  OSSL_IETF_ATTR_SYNTAX_it());
+    if (ias == NULL)
+        return ias;
+
+    for (i = 0; i < sk_OSSL_IETF_ATTR_SYNTAX_VALUE_num(ias->values); i++)
+    {
+        OSSL_IETF_ATTR_SYNTAX_VALUE *val;
+
+        val = sk_OSSL_IETF_ATTR_SYNTAX_VALUE_value(ias->values, i);
+        if (i == 0)
+            ias->type = val->type;
+        else if (val->type != ias->type)
+            goto invalid_types;
+    }
+
+    return ias;
+
+invalid_types:
+    OSSL_IETF_ATTR_SYNTAX_free(ias);
+    if (a)
+        *a = NULL;
+    ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT);
+    return NULL;
+}
+
+int i2d_OSSL_IETF_ATTR_SYNTAX (const OSSL_IETF_ATTR_SYNTAX *a,
+                               unsigned char **out)
+{
+    return ASN1_item_i2d((const ASN1_VALUE *)a, out, OSSL_IETF_ATTR_SYNTAX_it());
+}
+
+int OSSL_IETF_ATTR_SYNTAX_get_value_num(const OSSL_IETF_ATTR_SYNTAX *a)
+{
+    if (a->values == NULL)
+        return 0;
+
+    return sk_OSSL_IETF_ATTR_SYNTAX_VALUE_num(a->values);
+}
+
+const GENERAL_NAMES *
+OSSL_IETF_ATTR_SYNTAX_get0_policyAuthority(const OSSL_IETF_ATTR_SYNTAX *a)
+{
+    return a->policyAuthority;
+}
+
+void OSSL_IETF_ATTR_SYNTAX_set0_policyAuthority(OSSL_IETF_ATTR_SYNTAX *a,
+                                                GENERAL_NAMES *names)
+{
+    GENERAL_NAMES_free(a->policyAuthority);
+    a->policyAuthority = names;
+}
+
+void *OSSL_IETF_ATTR_SYNTAX_get0_value(const OSSL_IETF_ATTR_SYNTAX *a,
+                                       int ind, int *type)
+{
+    OSSL_IETF_ATTR_SYNTAX_VALUE *val;
+
+    val = sk_OSSL_IETF_ATTR_SYNTAX_VALUE_value(a->values, ind);
+    if (val == NULL)
+        return NULL;
+
+    if (type != NULL)
+        *type = val->type;
+
+    switch (val->type) {
+    case OSSL_IETFAS_OCTETS:
+        return val->u.octets;
+    case OSSL_IETFAS_OID:
+        return val->u.oid;
+    case OSSL_IETFAS_STRING:
+        return val->u.string;
+    }
+
+    return NULL;
+}
+
+int OSSL_IETF_ATTR_SYNTAX_add1_value(OSSL_IETF_ATTR_SYNTAX *a, int type,
+                                     void *data)
+{
+    OSSL_IETF_ATTR_SYNTAX_VALUE *val;
+
+    if (data == NULL)
+        return 0;
+
+    if (a->values == NULL) {
+        if ((a->values = sk_OSSL_IETF_ATTR_SYNTAX_VALUE_new_null()) == NULL)
+            goto err;
+        a->type = type;
+    }
+
+    if (type != a->type) {
+        ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+
+    if ((val = OSSL_IETF_ATTR_SYNTAX_VALUE_new()) == NULL)
+        goto err;
+
+    val->type = type;
+    switch (type) {
+    case OSSL_IETFAS_OCTETS:
+        val->u.octets = data;
+        break;
+    case OSSL_IETFAS_OID:
+        val->u.oid = data;
+        break;
+    case OSSL_IETFAS_STRING:
+        val->u.string = data;
+        break;
+    default:
+        ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+
+    if (sk_OSSL_IETF_ATTR_SYNTAX_VALUE_push(a->values, val) <= 0) {
+        OSSL_IETF_ATTR_SYNTAX_VALUE_free(val);
+        return 0;
+    }
+
+    return 1;
+
+err:
+    ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
+    return 0;
+}
+
+int OSSL_IETF_ATTR_SYNTAX_print(BIO *bp, OSSL_IETF_ATTR_SYNTAX *a, int indent)
+{
+    int i;
+
+    if (a->policyAuthority != NULL) {
+        for (i = 0; i < sk_GENERAL_NAME_num(a->policyAuthority); i++) {
+            if (BIO_printf(bp, "%*s", indent, "") <= 0)
+                goto err;
+
+            if (GENERAL_NAME_print(bp, sk_GENERAL_NAME_value(a->policyAuthority,
+                                                             i)) <= 0)
+                goto err;
+
+            if (BIO_printf(bp, "\n") <= 0)
+                goto err;
+        }
+    }
+
+    for (i = 0; i < OSSL_IETF_ATTR_SYNTAX_get_value_num(a); i++) {
+        char oidstr[80];
+        int ietf_type;
+        void *attr_value = OSSL_IETF_ATTR_SYNTAX_get0_value(a, i, &ietf_type);
+
+        if (attr_value == NULL)
+            goto err;
+
+        if (BIO_printf(bp, "%*s", indent, "") <= 0)
+            goto err;
+
+        switch (ietf_type) {
+        case OSSL_IETFAS_OID:
+            OBJ_obj2txt(oidstr, sizeof(oidstr), attr_value, 0);
+            BIO_printf(bp, "%.*s", (int) sizeof(oidstr), oidstr);
+            break;
+        case OSSL_IETFAS_OCTETS:
+        case OSSL_IETFAS_STRING:
+            ASN1_STRING_print(bp, attr_value);
+            break;
+        }
+    }
+    if (BIO_printf(bp, "\n") <= 0)
+        goto err;
+
+    return 1;
+
+err:
+    return 0;
+}