x509_acert: Add API to sign and verify attribute certificates

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15857)

1 files changed, 26 insertions, 0 deletions

diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 95c91a0f20..3083eb1dca 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -19,6 +19,7 @@
 #include <openssl/asn1.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509_acert.h>
 #include <openssl/http.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
@@ -52,6 +53,16 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
     return X509_REQ_verify_ex(a, r, NULL, NULL);
 }
 
+int X509_ACERT_verify(X509_ACERT *a, EVP_PKEY *r)
+{
+    if (X509_ALGOR_cmp(&a->sig_alg, &a->acinfo->signature) != 0)
+        return 0;
+
+    return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_ACERT_INFO), &a->sig_alg,
+                               &a->signature, a->acinfo,
+                               NULL, r, NULL, NULL);
+}
+
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 {
     return ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
@@ -174,6 +185,21 @@ X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout)
                                        ASN1_ITEM_rptr(X509_CRL));
 }
 
+int X509_ACERT_sign(X509_ACERT *x, EVP_PKEY *pkey, const EVP_MD *md)
+{
+    return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_ACERT_INFO), &x->sig_alg,
+                             &x->acinfo->signature,
+                             &x->signature, x->acinfo, NULL,
+                             pkey, md, NULL, NULL);
+}
+
+int X509_ACERT_sign_ctx(X509_ACERT *x, EVP_MD_CTX *ctx)
+{
+    return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_ACERT_INFO),
+                              &x->sig_alg, &x->acinfo->signature, &x->signature,
+                              &x->acinfo, ctx);
+}
+
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
     return