From 71f852802f453db9be24bb83385288c7d7b83ae1 Mon Sep 17 00:00:00 2001 From: Nikolay Morozov Date: Mon, 2 Mar 2020 10:17:30 +0300 Subject: [PATCH] Issuer Sign Tool extention support Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE) This extention is required to obtain the status of a qualified certificate at Russian Federation. RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5 Russian Federal Law 63 "Digital Sign" is available here: http://www.consultant.ru/document/cons_doc_LAW_112701/ Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/11216) --- crypto/asn1/asn1_item_list.h | 3 +- crypto/err/openssl.txt | 2 + crypto/x509/build.info | 2 +- crypto/x509/ext_dat.h | 1 + crypto/x509/standard_exts.h | 1 + crypto/x509/v3_ist.c | 149 +++++++++++++++++++++ doc/man3/ISSUER_SIGN_TOOL_new.pod | 51 +++++++ include/openssl/x509v3.h | 9 ++ include/openssl/x509v3err.h | 2 + test/certs/grfc.pem | 30 +++++ test/recipes/25-test_rusext.t | 33 +++++ test/recipes/25-test_rusext_data/grfc.msb | 67 +++++++++ test/recipes/25-test_rusext_data/grfc.utf8 | 67 +++++++++ util/libcrypto.num | 5 + 14 files changed, 420 insertions(+), 2 deletions(-) create mode 100644 crypto/x509/v3_ist.c create mode 100644 doc/man3/ISSUER_SIGN_TOOL_new.pod create mode 100644 test/certs/grfc.pem create mode 100644 test/recipes/25-test_rusext.t create mode 100644 test/recipes/25-test_rusext_data/grfc.msb create mode 100644 test/recipes/25-test_rusext_data/grfc.utf8 diff --git a/crypto/asn1/asn1_item_list.h b/crypto/asn1/asn1_item_list.h index c8727e5790..4cdf1d221a 100644 --- a/crypto/asn1/asn1_item_list.h +++ b/crypto/asn1/asn1_item_list.h @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -145,6 +145,7 @@ static ASN1_ITEM_EXP *asn1_item_list[] = { #endif ASN1_ITEM_ref(SXNETID), ASN1_ITEM_ref(SXNET), + ASN1_ITEM_ref(ISSUER_SIGN_TOOL), ASN1_ITEM_ref(USERNOTICE), ASN1_ITEM_ref(X509_ALGORS), ASN1_ITEM_ref(X509_ALGOR), diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 090d0f39a5..50fb57baee 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1770,6 +1770,7 @@ X509V3_F_DO_DIRNAME:144:do_dirname X509V3_F_DO_EXT_I2D:135:do_ext_i2d X509V3_F_DO_EXT_NCONF:151:do_ext_nconf X509V3_F_GNAMES_FROM_SECTNAME:156:gnames_from_sectname +X509V3_F_I2R_ISSUER_SIGN_TOOL:176: X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER @@ -1809,6 +1810,7 @@ X509V3_F_V2I_GENERAL_NAME_EX:117:v2i_GENERAL_NAME_ex X509V3_F_V2I_IDP:157:v2i_idp X509V3_F_V2I_IPADDRBLOCKS:159:v2i_IPAddrBlocks X509V3_F_V2I_ISSUER_ALT:153:v2i_issuer_alt +X509V3_F_V2I_ISSUER_SIGN_TOOL:175: X509V3_F_V2I_NAME_CONSTRAINTS:147:v2i_NAME_CONSTRAINTS X509V3_F_V2I_POLICY_CONSTRAINTS:146:v2i_POLICY_CONSTRAINTS X509V3_F_V2I_POLICY_MAPPINGS:145:v2i_POLICY_MAPPINGS diff --git a/crypto/x509/build.info b/crypto/x509/build.info index c836ef1c2e..04b63d0bc3 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -12,6 +12,6 @@ SOURCE[../../libcrypto]=\ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \ v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c \ v3_info.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c \ - v3_pcia.c v3_pci.c \ + v3_pcia.c v3_pci.c v3_ist.c \ pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \ v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h index 4329c44065..b2fecaa165 100644 --- a/crypto/x509/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -24,3 +24,4 @@ extern const X509V3_EXT_METHOD v3_ct_scts[3]; extern const X509V3_EXT_METHOD v3_tls_feature; extern const X509V3_EXT_METHOD v3_ext_admission; extern const X509V3_EXT_METHOD v3_utf8_list[1]; +extern const X509V3_EXT_METHOD v3_issuer_sign_tool; diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h index d66b6554f1..18f2c32485 100644 --- a/crypto/x509/standard_exts.h +++ b/crypto/x509/standard_exts.h @@ -69,6 +69,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = { &v3_ct_scts[2], #endif &v3_utf8_list[0], + &v3_issuer_sign_tool, &v3_tls_feature, &v3_ext_admission }; diff --git a/crypto/x509/v3_ist.c b/crypto/x509/v3_ist.c new file mode 100644 index 0000000000..6db4f19913 --- /dev/null +++ b/crypto/x509/v3_ist.c @@ -0,0 +1,149 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include +#include "ext_dat.h" + +/* + * Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE) + * This extention is required to obtain the status of a qualified certificate at Russian Federation. + * RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5 + * Russian Federal Law 63 "Digital Sign" is available here: http://www.consultant.ru/document/cons_doc_LAW_112701/ + */ + +ASN1_SEQUENCE(ISSUER_SIGN_TOOL) = { + ASN1_SIMPLE(ISSUER_SIGN_TOOL, signTool, ASN1_UTF8STRING), + ASN1_SIMPLE(ISSUER_SIGN_TOOL, cATool, ASN1_UTF8STRING), + ASN1_SIMPLE(ISSUER_SIGN_TOOL, signToolCert, ASN1_UTF8STRING), + ASN1_SIMPLE(ISSUER_SIGN_TOOL, cAToolCert, ASN1_UTF8STRING) +} ASN1_SEQUENCE_END(ISSUER_SIGN_TOOL) + +IMPLEMENT_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL) + + +static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, + STACK_OF(CONF_VALUE) *nval) +{ + ISSUER_SIGN_TOOL *ist = ISSUER_SIGN_TOOL_new(); + int i; + + if (ist == NULL) { + X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE); + return NULL; + } + for (i = 0; i < sk_CONF_VALUE_num(nval); ++i) { + CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i); + + if (cnf == NULL) { + continue; + } + if (strcmp(cnf->name, "signTool") == 0) { + ist->signTool = ASN1_UTF8STRING_new(); + if (ist->signTool == NULL) { + X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE); + ISSUER_SIGN_TOOL_free(ist); + return NULL; + } + ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value)); + } else if (strcmp(cnf->name, "cATool") == 0) { + ist->cATool = ASN1_UTF8STRING_new(); + if (ist->cATool == NULL) { + X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE); + ISSUER_SIGN_TOOL_free(ist); + return NULL; + } + ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value)); + } else if (strcmp(cnf->name, "signToolCert") == 0) { + ist->signToolCert = ASN1_UTF8STRING_new(); + if (ist->signToolCert == NULL) { + X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE); + ISSUER_SIGN_TOOL_free(ist); + return NULL; + } + ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value)); + } else if (strcmp(cnf->name, "cAToolCert") == 0) { + ist->cAToolCert = ASN1_UTF8STRING_new(); + if (ist->cAToolCert == NULL) { + X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE); + ISSUER_SIGN_TOOL_free(ist); + return NULL; + } + ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value)); + } else { + X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_PASSED_INVALID_ARGUMENT); + ISSUER_SIGN_TOOL_free(ist); + return NULL; + } + } + return ist; +} + +static int i2r_issuer_sign_tool(X509V3_EXT_METHOD *method, + ISSUER_SIGN_TOOL *ist, BIO *out, + int indent) +{ + int new_line = 0; + + if (ist == NULL) { + X509V3err(X509V3_F_I2R_ISSUER_SIGN_TOOL, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + if (ist->signTool != NULL) { + if (new_line == 1) { + BIO_write(out, "\n", 1); + } + BIO_printf(out, "%*ssignTool : ", indent, ""); + BIO_write(out, ist->signTool->data, ist->signTool->length); + new_line = 1; + } + if (ist->cATool != NULL) { + if (new_line == 1) { + BIO_write(out, "\n", 1); + } + BIO_printf(out, "%*scATool : ", indent, ""); + BIO_write(out, ist->cATool->data, ist->cATool->length); + new_line = 1; + } + if (ist->signToolCert != NULL) { + if (new_line == 1) { + BIO_write(out, "\n", 1); + } + BIO_printf(out, "%*ssignToolCert: ", indent, ""); + BIO_write(out, ist->signToolCert->data, ist->signToolCert->length); + new_line = 1; + } + if (ist->cAToolCert != NULL) { + if (new_line == 1) { + BIO_write(out, "\n", 1); + } + BIO_printf(out, "%*scAToolCert : ", indent, ""); + BIO_write(out, ist->cAToolCert->data, ist->cAToolCert->length); + new_line = 1; + } + return 1; +} + +const X509V3_EXT_METHOD v3_issuer_sign_tool = { + NID_issuerSignTool, /* nid */ + X509V3_EXT_MULTILINE, /* flags */ + ASN1_ITEM_ref(ISSUER_SIGN_TOOL), /* template */ + 0, 0, 0, 0, /* old functions, ignored */ + 0, /* i2s */ + 0, /* s2i */ + 0, /* i2v */ + (X509V3_EXT_V2I)v2i_issuer_sign_tool, /* v2i */ + (X509V3_EXT_I2R)i2r_issuer_sign_tool, /* i2r */ + 0, /* r2i */ + NULL /* extension-specific data */ +}; diff --git a/doc/man3/ISSUER_SIGN_TOOL_new.pod b/doc/man3/ISSUER_SIGN_TOOL_new.pod new file mode 100644 index 0000000000..4fb1f70f25 --- /dev/null +++ b/doc/man3/ISSUER_SIGN_TOOL_new.pod @@ -0,0 +1,51 @@ +=pod + +=head1 NAME + +ISSUER_SIGN_TOOL_new, ISSUER_SIGN_TOOL_free,ISSUER_SIGN_TOOL_it, +d2i_ISSUER_SIGN_TOOL, i2d_ISSUER_SIGN_TOOL + +=head1 SYNOPSIS + +=for openssl generic + + #include + + extern const ISSUER_SIGN_TOOL_it; + + ISSUER_SIGN_TOOL *ISSUER_SIGN_TOOL_new(void); + void ISSUER_SIGN_TOOL_free(ISSUER_SIGN_TOOL *v); + + ISSUER_SIGN_TOOL *d2i_ISSUER_SIGN_TOOL(ISSUER_SIGN_TOOL **a, const unsigned char **pp, long length); + int i2d_ISSUER_SIGN_TOOL(const ISSUER_SIGN_TOOL *a, unsigned char **pp); + +=head1 DESCRIPTION + +The ISSUER_SIGN_TOOL_new() function returns a new ISSUER_SIGN_TOOL. + +ISSUER_SIGN_TOOL_free() frees up a single ISSUER_SIGN_TOOL object. + +=head1 RETURN VALUES + +ISSUER_SIGN_TOOL_new() returns a newly created ISSUER_SIGN_TOOL or NULL if the call fails. + +ISSUER_SIGN_TOOL_free() does not return values. + +d2i_ISSUER_SIGN_TOOL() and i2d_ISSUER_SIGN_TOOL() decode and encode an B +structure. They otherwise follow the conventions of other ASN.1 functions such as d2i_X509(). + +=head1 HISTORY + +The ISSUER_SIGN_TOOL_up_ref(), ISSUER_SIGN_TOOL_lock() and ISSUER_SIGN_TOOL_unlock() +functions were added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index 4a96aad69f..63903efb20 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -230,6 +230,13 @@ typedef struct SXNET_st { STACK_OF(SXNETID) *ids; } SXNET; +typedef struct ISSUER_SIGN_TOOL_st { + ASN1_UTF8STRING *signTool; + ASN1_UTF8STRING *cATool; + ASN1_UTF8STRING *signToolCert; + ASN1_UTF8STRING *cAToolCert; +} ISSUER_SIGN_TOOL; + typedef struct NOTICEREF_st { ASN1_STRING *organization; STACK_OF(ASN1_INTEGER) *noticenos; @@ -458,6 +465,8 @@ DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS) DECLARE_ASN1_FUNCTIONS(SXNET) DECLARE_ASN1_FUNCTIONS(SXNETID) +DECLARE_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL) + int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen); int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user, int userlen); diff --git a/include/openssl/x509v3err.h b/include/openssl/x509v3err.h index 6e73337e3b..4a305853df 100644 --- a/include/openssl/x509v3err.h +++ b/include/openssl/x509v3err.h @@ -41,6 +41,7 @@ int ERR_load_X509V3_strings(void); # define X509V3_F_DO_EXT_I2D 0 # define X509V3_F_DO_EXT_NCONF 0 # define X509V3_F_GNAMES_FROM_SECTNAME 0 +# define X509V3_F_I2R_ISSUER_SIGN_TOOL 0 # define X509V3_F_I2S_ASN1_ENUMERATED 0 # define X509V3_F_I2S_ASN1_IA5STRING 0 # define X509V3_F_I2S_ASN1_INTEGER 0 @@ -80,6 +81,7 @@ int ERR_load_X509V3_strings(void); # define X509V3_F_V2I_IDP 0 # define X509V3_F_V2I_IPADDRBLOCKS 0 # define X509V3_F_V2I_ISSUER_ALT 0 +# define X509V3_F_V2I_ISSUER_SIGN_TOOL 0 # define X509V3_F_V2I_NAME_CONSTRAINTS 0 # define X509V3_F_V2I_POLICY_CONSTRAINTS 0 # define X509V3_F_V2I_POLICY_MAPPINGS 0 diff --git a/test/certs/grfc.pem b/test/certs/grfc.pem new file mode 100644 index 0000000000..952818275b --- /dev/null +++ b/test/certs/grfc.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw +FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4 +MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ +tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1 +MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG +A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi +MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz +ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3 +OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx +0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq +hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI +DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa +BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj +0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA +BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W +eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/ +0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB +KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu +NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa +0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR +gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv +MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR +gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw +MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW +BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE +HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f +Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j +KW64bgG0AywHjyc3 +-----END CERTIFICATE----- diff --git a/test/recipes/25-test_rusext.t b/test/recipes/25-test_rusext.t new file mode 100644 index 0000000000..05727f9d04 --- /dev/null +++ b/test/recipes/25-test_rusext.t @@ -0,0 +1,33 @@ +#! /usr/bin/env perl +# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_rusext"); + +plan tests => 5; + +require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); +my $pem = srctop_file("test/certs", "grfc.pem"); +my $out_msb = "grfc.msb"; +my $out_utf8 = "grfc.utf8"; + +ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_msb, + "-nameopt", "esc_msb", "-certopt", "no_pubkey"]))); +is(cmp_text($out_msb, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.msb')), + 0, 'Comparing esc_msb output'); +ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8, + "-nameopt", "utf8", "-certopt", "no_pubkey"]))); +is(cmp_text($out_utf8, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.utf8')), + 0, 'Comparing utf8 output'); diff --git a/test/recipes/25-test_rusext_data/grfc.msb b/test/recipes/25-test_rusext_data/grfc.msb new file mode 100644 index 0000000000..68ebff6274 --- /dev/null +++ b/test/recipes/25-test_rusext_data/grfc.msb @@ -0,0 +1,67 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0c:8c:40:93:bb:e6:93:bd:43:0b:f5:18:26:03:1d:05 + Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001 + Issuer: OGRN=1027739334479, INN=007706228218, street=\U0414\U0435\U0440\U0431\U0435\U043D\U0435\U0432\U0441\U043A\U0430\U044F \U043D\U0430\U0431. \U0434. 7 \U0441\U0442\U0440. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 \U0433. \U041C\U043E\U0441\U043A\U0432\U0430, L=\U041C\U043E\U0441\U043A\U0432\U0430, O=\U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426", CN=\U0423\U0426 \U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426" + Validity + Not Before: Mar 12 07:38:26 2013 GMT + Not After : Mar 12 07:46:00 2028 GMT + Subject: OGRN=1027739334479, INN=007706228218, street=\U0414\U0435\U0440\U0431\U0435\U043D\U0435\U0432\U0441\U043A\U0430\U044F \U043D\U0430\U0431. \U0434. 7 \U0441\U0442\U0440. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 \U0433. \U041C\U043E\U0441\U043A\U0432\U0430, L=\U041C\U043E\U0441\U043A\U0432\U0430, O=\U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426", CN=\U0423\U0426 \U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426" + X509v3 extensions: + Signing Tool of Subject: + "КриптоПро CSP" (версия 3.6) + Signing Tool of Issuer: + signTool : "КриптоПро CSP" (версия 3.6) + cATool : "Удостоверяющий центр "КриптоПро УЦ" версии 1.5 + signToolCert: Сертификат соответствия № СФ/121-1859 от 17.06.2012 + cAToolCert : Сертификат соответствия № СФ/128-1822 от 01.06.2012 + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 6B:00:86:83:89:D2:00:CF:56:B8:6B:E4:E3:36:10:1E:1F:72:AE:C3 + 1.3.6.1.4.1.311.21.1: + ... + X509v3 Certificate Policies: + Policy: 1.2.643.100.113.1 + Policy: 1.2.643.100.113.2 + Policy: X509v3 Any Policy + Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001 + Signature Value: + bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0:13:1a: + 21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9:79:09:15:a2: + 41:c0:60:e1:1d:3f:25:8d:88:f4:4c:60:f3:0f:4e:e3:29:6e: + b8:6e:01:b4:03:2c:07:8f:27:37 +-----BEGIN CERTIFICATE----- +MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw +FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4 +MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ +tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1 +MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG +A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi +MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz +ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3 +OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx +0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq +hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI +DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa +BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj +0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA +BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W +eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/ +0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB +KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu +NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa +0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR +gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv +MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR +gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw +MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW +BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE +HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f +Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j +KW64bgG0AywHjyc3 +-----END CERTIFICATE----- diff --git a/test/recipes/25-test_rusext_data/grfc.utf8 b/test/recipes/25-test_rusext_data/grfc.utf8 new file mode 100644 index 0000000000..ebca5d6b59 --- /dev/null +++ b/test/recipes/25-test_rusext_data/grfc.utf8 @@ -0,0 +1,67 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0c:8c:40:93:bb:e6:93:bd:43:0b:f5:18:26:03:1d:05 + Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001 + Issuer: OGRN=1027739334479, INN=007706228218, street=Дербеневская наб. д. 7 стр. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 г. Москва, L=Москва, O=ФГУП "ГРЧЦ", CN=УЦ ФГУП "ГРЧЦ" + Validity + Not Before: Mar 12 07:38:26 2013 GMT + Not After : Mar 12 07:46:00 2028 GMT + Subject: OGRN=1027739334479, INN=007706228218, street=Дербеневская наб. д. 7 стр. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 г. Москва, L=Москва, O=ФГУП "ГРЧЦ", CN=УЦ ФГУП "ГРЧЦ" + X509v3 extensions: + Signing Tool of Subject: + "КриптоПро CSP" (версия 3.6) + Signing Tool of Issuer: + signTool : "КриптоПро CSP" (версия 3.6) + cATool : "Удостоверяющий центр "КриптоПро УЦ" версии 1.5 + signToolCert: Сертификат соответствия № СФ/121-1859 от 17.06.2012 + cAToolCert : Сертификат соответствия № СФ/128-1822 от 01.06.2012 + X509v3 Key Usage: + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 6B:00:86:83:89:D2:00:CF:56:B8:6B:E4:E3:36:10:1E:1F:72:AE:C3 + 1.3.6.1.4.1.311.21.1: + ... + X509v3 Certificate Policies: + Policy: 1.2.643.100.113.1 + Policy: 1.2.643.100.113.2 + Policy: X509v3 Any Policy + Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001 + Signature Value: + bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0:13:1a: + 21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9:79:09:15:a2: + 41:c0:60:e1:1d:3f:25:8d:88:f4:4c:60:f3:0f:4e:e3:29:6e: + b8:6e:01:b4:03:2c:07:8f:27:37 +-----BEGIN CERTIFICATE----- +MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw +FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4 +MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ +tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1 +MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG +A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi +MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz +ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3 +OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx +0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq +hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI +DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa +BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj +0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA +BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W +eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/ +0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB +KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu +NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa +0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR +gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv +MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR +gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw +MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW +BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE +HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f +Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j +KW64bgG0AywHjyc3 +-----END CERTIFICATE----- diff --git a/util/libcrypto.num b/util/libcrypto.num index 0e275084d1..ba27450084 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4950,6 +4950,11 @@ EVP_PKEY_CTX_set0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION:EC EVP_PKEY_CTX_get0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION:EC EVP_PKEY_CTX_set_rsa_pss_saltlen ? 3_0_0 EXIST::FUNCTION:RSA EVP_PKEY_CTX_get_rsa_pss_saltlen ? 3_0_0 EXIST::FUNCTION:RSA +d2i_ISSUER_SIGN_TOOL ? 3_0_0 EXIST::FUNCTION: +i2d_ISSUER_SIGN_TOOL ? 3_0_0 EXIST::FUNCTION: +ISSUER_SIGN_TOOL_free ? 3_0_0 EXIST::FUNCTION: +ISSUER_SIGN_TOOL_new ? 3_0_0 EXIST::FUNCTION: +ISSUER_SIGN_TOOL_it ? 3_0_0 EXIST::FUNCTION: OSSL_SELF_TEST_new ? 3_0_0 EXIST::FUNCTION: OSSL_SELF_TEST_free ? 3_0_0 EXIST::FUNCTION: OSSL_SELF_TEST_onbegin ? 3_0_0 EXIST::FUNCTION: -- 2.25.1