Add RFC 5755 attribute certificate support

Add support for attribute certificates (v2) as described
in RFC 5755 profile.

Attribute certificates provide a mechanism to manage authorization
information separately from the identity information provided by
public key certificates.

This initial patch adds the ASN.1 definitions
and I/O API.  Accessor functions for the certificate fields
will be added in subsequent patches.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15857)

3 files changed, 115 insertions, 0 deletions

diff --git a/include/crypto/x509_acert.h b/include/crypto/x509_acert.h
new file mode 100644
index 0000000000..3223bf6234
--- /dev/null
+++ b/include/crypto/x509_acert.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_X509_ACERT_H
+# define OSSL_CRYPTO_X509_ACERT_H
+# pragma once
+
+# include <openssl/x509_acert.h>
+
+struct ossl_object_digest_info_st {
+    ASN1_ENUMERATED digestedObjectType;
+    ASN1_OBJECT *otherObjectTypeID;
+    X509_ALGOR digestAlgorithm;
+    ASN1_BIT_STRING objectDigest;
+};
+
+struct ossl_issuer_serial_st {
+    STACK_OF(GENERAL_NAME) *issuer;
+    ASN1_INTEGER serial;
+    ASN1_BIT_STRING *issuerUID;
+};
+
+struct X509_acert_issuer_v2form_st {
+    STACK_OF(GENERAL_NAME) *issuerName;
+    OSSL_ISSUER_SERIAL *baseCertificateId;
+    OSSL_OBJECT_DIGEST_INFO *objectDigestInfo;
+};
+
+typedef struct X509_acert_issuer_st {
+    int type;
+    union {
+        STACK_OF(GENERAL_NAME) *v1Form;
+        X509_ACERT_ISSUER_V2FORM *v2Form;
+    } u;
+} X509_ACERT_ISSUER;
+
+typedef struct X509_holder_st {
+    OSSL_ISSUER_SERIAL *baseCertificateID;
+    STACK_OF(GENERAL_NAME) *entityName;
+    OSSL_OBJECT_DIGEST_INFO *objectDigestInfo;
+} X509_HOLDER;
+
+struct X509_acert_info_st {
+    ASN1_INTEGER version;      /* default of v2 */
+    X509_HOLDER holder;
+    X509_ACERT_ISSUER issuer;
+    X509_ALGOR signature;
+    ASN1_INTEGER serialNumber;
+    X509_VAL validityPeriod;
+    STACK_OF(X509_ATTRIBUTE) *attributes;
+    ASN1_BIT_STRING *issuerUID;
+    X509_EXTENSIONS *extensions;
+};
+
+struct X509_acert_st {
+    X509_ACERT_INFO *acinfo;
+    X509_ALGOR sig_alg;
+    ASN1_BIT_STRING signature;
+};
+#endif
diff --git a/include/openssl/pem.h b/include/openssl/pem.h
index 0446c77019..6ea1a49a69 100644
--- a/include/openssl/pem.h
+++ b/include/openssl/pem.h
@@ -58,6 +58,7 @@ extern "C" {
 # define PEM_STRING_PARAMETERS   "PARAMETERS"
 # define PEM_STRING_CMS          "CMS"
 # define PEM_STRING_SM2PARAMETERS "SM2 PARAMETERS"
+# define PEM_STRING_ACERT        "ATTRIBUTE CERTIFICATE"
 
 # define PEM_TYPE_ENCRYPTED      10
 # define PEM_TYPE_MIC_ONLY       20
diff --git a/include/openssl/x509_acert.h.in b/include/openssl/x509_acert.h.in
new file mode 100644
index 0000000000..1d66af9545
--- /dev/null
+++ b/include/openssl/x509_acert.h.in
@@ -0,0 +1,48 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+{-
+use OpenSSL::stackhash qw(generate_stack_macros);
+-}
+
+#ifndef OPENSSL_X509_ACERT_H
+# define OPENSSL_X509_ACERT_H
+# pragma once
+
+# include <openssl/x509v3.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+
+typedef struct X509_acert_st X509_ACERT;
+typedef struct X509_acert_info_st X509_ACERT_INFO;
+typedef struct ossl_object_digest_info_st OSSL_OBJECT_DIGEST_INFO;
+typedef struct ossl_issuer_serial_st OSSL_ISSUER_SERIAL;
+typedef struct X509_acert_issuer_v2form_st X509_ACERT_ISSUER_V2FORM;
+
+DECLARE_ASN1_FUNCTIONS(X509_ACERT)
+DECLARE_ASN1_DUP_FUNCTION(X509_ACERT)
+DECLARE_ASN1_ITEM(X509_ACERT_INFO)
+DECLARE_ASN1_ALLOC_FUNCTIONS(X509_ACERT_INFO)
+DECLARE_ASN1_ALLOC_FUNCTIONS(OSSL_OBJECT_DIGEST_INFO)
+DECLARE_ASN1_ALLOC_FUNCTIONS(OSSL_ISSUER_SERIAL)
+DECLARE_ASN1_ALLOC_FUNCTIONS(X509_ACERT_ISSUER_V2FORM)
+
+# ifndef OPENSSL_NO_STDIO
+X509_ACERT *d2i_X509_ACERT_fp(FILE *fp, X509_ACERT **acert);
+int i2d_X509_ACERT_fp(FILE *fp, const X509_ACERT *acert);
+# endif
+
+DECLARE_PEM_rw(X509_ACERT, X509_ACERT)
+
+X509_ACERT *d2i_X509_ACERT_bio(BIO *bp, X509_ACERT **acert);
+int i2d_X509_ACERT_bio(BIO *bp, const X509_ACERT *acert);
+
+#endif