x509_acert: Load attributes from config file section

Several of the attribute values defined for use by attribute certificates
use multi-valued data in an ASN.1 SEQUENCE. Allow reading of these values
from a configuration file, similar to how generic X.509 extensions are
handled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15857)

2 files changed, 69 insertions, 0 deletions

diff --git a/doc/build.info b/doc/build.info
index 373f61476e..c7cb6d5d4f 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -2811,6 +2811,10 @@ DEPEND[html/man3/X509_ACERT_add1_attr.html]=man3/X509_ACERT_add1_attr.pod
 GENERATE[html/man3/X509_ACERT_add1_attr.html]=man3/X509_ACERT_add1_attr.pod
 DEPEND[man/man3/X509_ACERT_add1_attr.3]=man3/X509_ACERT_add1_attr.pod
 GENERATE[man/man3/X509_ACERT_add1_attr.3]=man3/X509_ACERT_add1_attr.pod
+DEPEND[html/man3/X509_ACERT_add_attr_nconf.html]=man3/X509_ACERT_add_attr_nconf.pod
+GENERATE[html/man3/X509_ACERT_add_attr_nconf.html]=man3/X509_ACERT_add_attr_nconf.pod
+DEPEND[man/man3/X509_ACERT_add_attr_nconf.3]=man3/X509_ACERT_add_attr_nconf.pod
+GENERATE[man/man3/X509_ACERT_add_attr_nconf.3]=man3/X509_ACERT_add_attr_nconf.pod
 DEPEND[html/man3/X509_ACERT_get0_holder_baseCertId.html]=man3/X509_ACERT_get0_holder_baseCertId.pod
 GENERATE[html/man3/X509_ACERT_get0_holder_baseCertId.html]=man3/X509_ACERT_get0_holder_baseCertId.pod
 DEPEND[man/man3/X509_ACERT_get0_holder_baseCertId.3]=man3/X509_ACERT_get0_holder_baseCertId.pod
@@ -3658,6 +3662,7 @@ html/man3/UI_new.html \
 html/man3/X509V3_get_d2i.html \
 html/man3/X509V3_set_ctx.html \
 html/man3/X509_ACERT_add1_attr.html \
+html/man3/X509_ACERT_add_attr_nconf.html \
 html/man3/X509_ACERT_get0_holder_baseCertId.html \
 html/man3/X509_ACERT_get_attr.html \
 html/man3/X509_ACERT_print_ex.html \
@@ -4309,6 +4314,7 @@ man/man3/UI_new.3 \
 man/man3/X509V3_get_d2i.3 \
 man/man3/X509V3_set_ctx.3 \
 man/man3/X509_ACERT_add1_attr.3 \
+man/man3/X509_ACERT_add_attr_nconf.3 \
 man/man3/X509_ACERT_get0_holder_baseCertId.3 \
 man/man3/X509_ACERT_get_attr.3 \
 man/man3/X509_ACERT_print_ex.3 \
diff --git a/doc/man3/X509_ACERT_add_attr_nconf.pod b/doc/man3/X509_ACERT_add_attr_nconf.pod
new file mode 100644
index 0000000000..a16d31c3f3
--- /dev/null
+++ b/doc/man3/X509_ACERT_add_attr_nconf.pod
@@ -0,0 +1,63 @@
+=pod
+
+=head1 NAME
+
+X509_ACERT_add_attr_nconf
+- Add attributes to X509_ACERT from configuration section
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509_acert.h>
+
+ int X509_ACERT_add_attr_nconf(CONF *conf, const char *section,
+                               X509_ACERT *acert);
+
+=head1 DESCRIPTION
+
+X509_ACERT_add_attr_nconf() adds one or more B<X509_ATTRIBUTE>s to the
+existing B<X509_ACERT> structure I<acert>. The attributes are read
+from a I<section> of the I<conf> object.
+
+The give I<section> of the configuration should contain attribute
+descriptions of the form:
+
+  attribute_name = value
+
+The format of B<value> will vary depending on the B<attribute_name>.
+B<value> can either be a string value or an B<ASN1_TYPE>
+object.
+
+To encode an B<ASN1_TYPE> object, use the prefix "ASN1:" followed by
+the object description that uses the same syntax as L<ASN1_generate_nconf(3)>.
+For example:
+
+ id-aca-group = ASN1:SEQUENCE:ietfattr
+
+ [ietfattr]
+ values = SEQUENCE:groups
+
+ [groups]
+ 1.string = UTF8:mygroup1
+
+=head1 RETURN VALUES
+
+X509_ACERT_add_attr_nconf() returns 1 for success and 0 for failure.
+
+=head1 SEE ALSO
+
+L<ASN1_generate_nconf(3)>.
+
+=head1 HISTORY
+
+The function X509_ACERT_add_attr_nconf() was added in OpenSSL 3.4.
+
+=head1 COPYRIGHT
+
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut