From 70a7dd6f96c28a1a3059bf3d175bfb24449202ae Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 10 Mar 2020 22:50:22 +0100 Subject: [PATCH] X509: Rename X509_set0_sm2_id() and friends - X509_set0_sm2_id() -> X509_set0_distinguishing_id() - X509_get0_sm2_id() -> X509_get0_distinguishing_id() - X509_REQ_set0_sm2_id -> X509_REQ_set0_distinguishing_id() - X509_REQ_get0_sm2_id -> X509_REQ_get0_distinguishing_id() The reason for this rename is that the SM2 ID isn't really a unique SM2 data item, but rather a re-use of the Distinguished that is defined in ISO/IEC 15946-3 as well as in FIPS 196, with no special attribution toward any algorithm in particular. Fixes #11293 Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/11302) --- crypto/x509/x_all.c | 10 +--- crypto/x509/x_req.c | 18 +++--- crypto/x509/x_x509.c | 24 +++----- doc/man3/X509_get0_distinguishing_id.pod | 71 ++++++++++++++++++++++++ doc/man3/X509_get0_sm2_id.pod | 55 ------------------ include/crypto/x509.h | 12 ++-- include/openssl/x509.h | 10 ++-- util/libcrypto.num | 8 +-- 8 files changed, 103 insertions(+), 105 deletions(-) create mode 100644 doc/man3/X509_get0_distinguishing_id.pod delete mode 100644 doc/man3/X509_get0_sm2_id.pod diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 2d7387b9e0..ca9d3dbc98 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -71,10 +71,7 @@ int X509_verify(X509 *a, EVP_PKEY *r) if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature)) return 0; -#ifndef OPENSSL_NO_SM2 - id = a->sm2_id; -#endif - + id = a->distinguishing_id; if ((ctx = make_id_ctx(r, id)) != NULL) { rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg, &a->signature, &a->cert_info, ctx); @@ -89,10 +86,7 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) EVP_MD_CTX *ctx = NULL; ASN1_OCTET_STRING *id = NULL; -#ifndef OPENSSL_NO_SM2 - id = a->sm2_id; -#endif - + id = a->distinguishing_id; if ((ctx = make_id_ctx(r, id)) != NULL) { rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg, a->signature, &a->req_info, ctx); diff --git a/crypto/x509/x_req.c b/crypto/x509/x_req.c index e9cc9ba41c..d8a89011e8 100644 --- a/crypto/x509/x_req.c +++ b/crypto/x509/x_req.c @@ -53,14 +53,14 @@ static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, switch (operation) { case ASN1_OP_D2I_PRE: - ASN1_OCTET_STRING_free(ret->sm2_id); + ASN1_OCTET_STRING_free(ret->distinguishing_id); /* fall thru */ case ASN1_OP_NEW_POST: - ret->sm2_id = NULL; + ret->distinguishing_id = NULL; break; case ASN1_OP_FREE_POST: - ASN1_OCTET_STRING_free(ret->sm2_id); + ASN1_OCTET_STRING_free(ret->distinguishing_id); break; } #endif @@ -90,15 +90,13 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_REQ) IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ) -#ifndef OPENSSL_NO_SM2 -void X509_REQ_set0_sm2_id(X509_REQ *x, ASN1_OCTET_STRING *sm2_id) +void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *d_id) { - ASN1_OCTET_STRING_free(x->sm2_id); - x->sm2_id = sm2_id; + ASN1_OCTET_STRING_free(x->distinguishing_id); + x->distinguishing_id = d_id; } -ASN1_OCTET_STRING *X509_REQ_get0_sm2_id(X509_REQ *x) +ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x) { - return x->sm2_id; + return x->distinguishing_id; } -#endif diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index 7b41ce0777..e3caf8d44a 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -53,9 +53,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); ASIdentifiers_free(ret->rfc3779_asid); #endif -#ifndef OPENSSL_NO_SM2 - ASN1_OCTET_STRING_free(ret->sm2_id); -#endif + ASN1_OCTET_STRING_free(ret->distinguishing_id); /* fall thru */ @@ -76,9 +74,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ret->rfc3779_addr = NULL; ret->rfc3779_asid = NULL; #endif -#ifndef OPENSSL_NO_SM2 - ret->sm2_id = NULL; -#endif + ret->distinguishing_id = NULL; ret->aux = NULL; ret->crldp = NULL; if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data)) @@ -98,9 +94,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); ASIdentifiers_free(ret->rfc3779_asid); #endif -#ifndef OPENSSL_NO_SM2 - ASN1_OCTET_STRING_free(ret->sm2_id); -#endif + ASN1_OCTET_STRING_free(ret->distinguishing_id); break; } @@ -254,15 +248,13 @@ int X509_get_signature_nid(const X509 *x) return OBJ_obj2nid(x->sig_alg.algorithm); } -#ifndef OPENSSL_NO_SM2 -void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id) +void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *d_id) { - ASN1_OCTET_STRING_free(x->sm2_id); - x->sm2_id = sm2_id; + ASN1_OCTET_STRING_free(x->distinguishing_id); + x->distinguishing_id = d_id; } -ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x) +ASN1_OCTET_STRING *X509_get0_distinguishing_id(X509 *x) { - return x->sm2_id; + return x->distinguishing_id; } -#endif diff --git a/doc/man3/X509_get0_distinguishing_id.pod b/doc/man3/X509_get0_distinguishing_id.pod new file mode 100644 index 0000000000..2dd06e716d --- /dev/null +++ b/doc/man3/X509_get0_distinguishing_id.pod @@ -0,0 +1,71 @@ +=pod + +=head1 NAME + +X509_get0_distinguishing_id, X509_set0_distinguishing_id, +X509_REQ_get0_distinguishing_id, X509_REQ_set0_distinguishing_id +- get or set the Distinguishing ID for certificate operations + +=head1 SYNOPSIS + + #include + + ASN1_OCTET_STRING *X509_get0_distinguishing_id(X509 *x); + void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *distid); + ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x); + void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *distid); + +=head1 DESCRIPTION + +The Distinguishing ID is defined in FIPS 196 as follows: + +=over 4 + +I: information which unambiguously distinguishes +an entity in the authentication process. + +=back + +The SM2 signature algorithm requires a Distinguishing ID value when generating +and verifying a signature, but the Ddistinguishing ID may also find other uses. +In the context of SM2, the Distinguishing ID is often referred to as the "SM2 +ID". + +For the purpose off verifying a certificate or a certification request, a +Distinguishing ID may be attached to it, so functions like L +or L have easy access to that identity for signature +verification. + +X509_get0_distinguishing_id() gets the Distinguishing ID value of a certificate +B by returning an B object which should not be freed by +the caller. + +X509_set0_distinguishing_id() assigns B to the certificate B. +Calling this function transfers the memory management of the value to the X509 +object, and therefore the value that has been passed in should not be freed by +the caller after this function has been called. + +X509_REQ_get0_distinguishing_id() and X509_REQ_set0_distinguishing_id() +have the same functionality as X509_get0_distinguishing_id() and +X509_set0_distinguishing_id() except that they deal with B +objects instead of B. + +=head1 RETURN VALUES + +X509_set0_distinguishing_id() and X509_REQ_set0_distinguishing_id() do not +return a value. + +=head1 SEE ALSO + +L, L + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/X509_get0_sm2_id.pod b/doc/man3/X509_get0_sm2_id.pod deleted file mode 100644 index d8a85d7f8b..0000000000 --- a/doc/man3/X509_get0_sm2_id.pod +++ /dev/null @@ -1,55 +0,0 @@ -=pod - -=head1 NAME - -X509_get0_sm2_id, X509_set0_sm2_id, -X509_REQ_get0_sm2_id, X509_REQ_set0_sm2_id -- get or set SM2 ID for certificate operations - -=head1 SYNOPSIS - - #include - - ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x); - void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id); - ASN1_OCTET_STRING *X509_REQ_get0_sm2_id(X509_REQ *x); - void X509_REQ_set0_sm2_id(X509_REQ *x, ASN1_OCTET_STRING *sm2_id); - -=head1 DESCRIPTION - -X509_get0_sm2_id() gets the ID value of an SM2 certificate B by returning an -B object which should not be freed by the caller. - -X509_set0_sm2_id() sets the B value to an SM2 certificate B. Calling -this function transfers the memory management of the value to the X509 object, -and therefore the value that has been passed in should not be freed by the -caller after this function has been called. - -X509_REQ_get0_sm2_id() and X509_REQ_set0_sm2_id() have the same functionality -as X509_get0_sm2_id() and X509_set0_sm2_id() except that they deal with -B objects instead of B. - -=head1 NOTES - -SM2 signature algorithm requires an ID value when generating and verifying a -signature. The functions described in this manual provide the user with the -ability to set and retrieve the SM2 ID value. - -=head1 RETURN VALUES - -X509_set0_sm2_id() and X509_REQ_set0_sm2_id() do not return a value. - -=head1 SEE ALSO - -L, L - -=head1 COPYRIGHT - -Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the Apache License 2.0 (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L. - -=cut diff --git a/include/crypto/x509.h b/include/crypto/x509.h index 602a72fd27..edd85b6db0 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -71,9 +71,9 @@ struct X509_req_st { ASN1_BIT_STRING *signature; /* signature */ CRYPTO_REF_COUNT references; CRYPTO_RWLOCK *lock; -# ifndef OPENSSL_NO_SM2 - ASN1_OCTET_STRING *sm2_id; -# endif + + /* Set on live certificates for authentication purposes */ + ASN1_OCTET_STRING *distinguishing_id; }; struct X509_crl_info_st { @@ -186,9 +186,9 @@ struct x509_st { X509_CERT_AUX *aux; CRYPTO_RWLOCK *lock; volatile int ex_cached; -# ifndef OPENSSL_NO_SM2 - ASN1_OCTET_STRING *sm2_id; -# endif + + /* Set on live certificates for authentication purposes */ + ASN1_OCTET_STRING *distinguishing_id; } /* X509 */ ; /* diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 80328cb2eb..82feb75efb 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -581,12 +581,10 @@ void X509_get0_signature(const ASN1_BIT_STRING **psig, const X509_ALGOR **palg, const X509 *x); int X509_get_signature_nid(const X509 *x); -# ifndef OPENSSL_NO_SM2 -void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id); -ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x); -void X509_REQ_set0_sm2_id(X509_REQ *x, ASN1_OCTET_STRING *sm2_id); -ASN1_OCTET_STRING *X509_REQ_get0_sm2_id(X509_REQ *x); -# endif +void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *d_id); +ASN1_OCTET_STRING *X509_get0_distinguishing_id(X509 *x); +void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *d_id); +ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x); int X509_trusted(const X509 *x); int X509_alias_set1(X509 *x, const unsigned char *name, int len); diff --git a/util/libcrypto.num b/util/libcrypto.num index 30978d2fb0..5f30a779fc 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4604,8 +4604,8 @@ OSSL_PARAM_get_utf8_ptr ? 3_0_0 EXIST::FUNCTION: OSSL_PARAM_set_utf8_ptr ? 3_0_0 EXIST::FUNCTION: OSSL_PARAM_get_octet_ptr ? 3_0_0 EXIST::FUNCTION: OSSL_PARAM_set_octet_ptr ? 3_0_0 EXIST::FUNCTION: -X509_set0_sm2_id ? 3_0_0 EXIST::FUNCTION:SM2 -X509_get0_sm2_id ? 3_0_0 EXIST::FUNCTION:SM2 +X509_set0_distinguishing_id ? 3_0_0 EXIST::FUNCTION: +X509_get0_distinguishing_id ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_get0_engine ? 3_0_0 EXIST::FUNCTION:ENGINE EVP_MD_up_ref ? 3_0_0 EXIST::FUNCTION: EVP_MD_fetch ? 3_0_0 EXIST::FUNCTION: @@ -4650,8 +4650,8 @@ BN_CTX_new_ex ? 3_0_0 EXIST::FUNCTION: BN_CTX_secure_new_ex ? 3_0_0 EXIST::FUNCTION: OPENSSL_thread_stop_ex ? 3_0_0 EXIST::FUNCTION: OSSL_PARAM_locate_const ? 3_0_0 EXIST::FUNCTION: -X509_REQ_set0_sm2_id ? 3_0_0 EXIST::FUNCTION:SM2 -X509_REQ_get0_sm2_id ? 3_0_0 EXIST::FUNCTION:SM2 +X509_REQ_set0_distinguishing_id ? 3_0_0 EXIST::FUNCTION: +X509_REQ_get0_distinguishing_id ? 3_0_0 EXIST::FUNCTION: BN_rand_ex ? 3_0_0 EXIST::FUNCTION: BN_priv_rand_ex ? 3_0_0 EXIST::FUNCTION: BN_rand_range_ex ? 3_0_0 EXIST::FUNCTION: -- 2.25.1