Add RFC 5755 attribute certificate support

Add support for attribute certificates (v2) as described
in RFC 5755 profile.

Attribute certificates provide a mechanism to manage authorization
information separately from the identity information provided by
public key certificates.

This initial patch adds the ASN.1 definitions
and I/O API.  Accessor functions for the certificate fields
will be added in subsequent patches.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15857)

3 files changed, 31 insertions, 0 deletions

diff --git a/doc/man3/PEM_read_bio_PrivateKey.pod b/doc/man3/PEM_read_bio_PrivateKey.pod
index ac93920add..6e521b268f 100644
--- a/doc/man3/PEM_read_bio_PrivateKey.pod
+++ b/doc/man3/PEM_read_bio_PrivateKey.pod
@@ -26,6 +26,8 @@ PEM_write_bio_Parameters, PEM_read_bio_DSAparams, PEM_read_DSAparams,
 PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams,
 PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams,
 PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509,
+PEM_read_bio_X509_ACERT, PEM_read_X509_ACERT,
+PEM_write_bio_X509_ACERT, PEM_write_X509_ACERT,
 PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX,
 PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ,
 PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW,
@@ -108,6 +110,13 @@ PEM_write_bio_PKCS7, PEM_write_PKCS7 - PEM routines
  int PEM_write_bio_X509(BIO *bp, X509 *x);
  int PEM_write_X509(FILE *fp, X509 *x);
 
+ X509_ACERT *PEM_read_bio_X509_ACERT(BIO *bp, X509_ACERT **x,
+                                     pem_password_cb *cb, void *u);
+ X509_ACERT *PEM_read_X509_ACERT(FILE *fp, X509_ACERT **x,
+                                     pem_password_cb *cb, void *u);
+ int PEM_write_bio_X509_ACERT(BIO *bp, X509_ACERT *x);
+ int PEM_write_X509_ACERT(FILE *fp, X509_ACERT *x);
+
  X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
  X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
  int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
@@ -287,6 +296,9 @@ The B<X509> functions process an X509 certificate using an X509
 structure. They will also process a trusted X509 certificate but
 any trust settings are discarded.
 
+The B<X509_ACERT> functions process an X509 attribute certificate using
+an X509_ACERT structure.
+
 The B<X509_AUX> functions process a trusted X509 certificate using
 an X509 structure.
 
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index 86a259f025..621427e3fb 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -171,6 +171,10 @@ OSSL_CRMF_PKIPUBLICATIONINFO_new,
 OSSL_CRMF_SINGLEPUBINFO_free,
 OSSL_CRMF_SINGLEPUBINFO_it,
 OSSL_CRMF_SINGLEPUBINFO_new,
+OSSL_ISSUER_SERIAL_free,
+OSSL_ISSUER_SERIAL_new,
+OSSL_OBJECT_DIGEST_INFO_free,
+OSSL_OBJECT_DIGEST_INFO_new,
 OTHERNAME_free,
 OTHERNAME_new,
 PBE2PARAM_free,
@@ -265,6 +269,15 @@ TS_TST_INFO_free,
 TS_TST_INFO_new,
 USERNOTICE_free,
 USERNOTICE_new,
+X509_ACERT_dup,
+X509_ACERT_free,
+X509_ACERT_it,
+X509_ACERT_new,
+X509_ACERT_INFO_free,
+X509_ACERT_INFO_it,
+X509_ACERT_INFO_new,
+X509_ACERT_ISSUER_V2FORM_free,
+X509_ACERT_ISSUER_V2FORM_new,
 X509_ALGOR_free,
 X509_ALGOR_it,
 X509_ALGOR_new,
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index 00efb60358..6c4464deb4 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -157,6 +157,9 @@ d2i_USERNOTICE,
 d2i_X509,
 d2i_X509_bio,
 d2i_X509_fp,
+d2i_X509_ACERT,
+d2i_X509_ACERT_bio,
+d2i_X509_ACERT_fp,
 d2i_X509_ALGOR,
 d2i_X509_ALGORS,
 d2i_X509_ATTRIBUTE,
@@ -331,6 +334,9 @@ i2d_USERNOTICE,
 i2d_X509,
 i2d_X509_bio,
 i2d_X509_fp,
+i2d_X509_ACERT,
+i2d_X509_ACERT_bio,
+i2d_X509_ACERT_fp,
 i2d_X509_ALGOR,
 i2d_X509_ALGORS,
 i2d_X509_ATTRIBUTE,