TrustedComputingGroup · JonathanWilbur · Dec 10, 2022 · Dec 10, 2022
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
@@ -10,7 +10,7 @@
  */
 
 /* Serialized OID's */
-static const unsigned char so[8410] = {
+static const unsigned char so[8428] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,                 /* [    0] OBJ_rsadsi */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,            /* [    6] OBJ_pkcs */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,       /* [   13] OBJ_md2 */
@@ -1170,9 +1170,15 @@ static const unsigned char so[8410] = {
     0x55,0x1D,0x43,                                /* [ 8400] OBJ_allowed_attribute_assignments */
     0x55,0x1D,0x44,                                /* [ 8403] OBJ_attribute_mappings */
     0x55,0x1D,0x45,                                /* [ 8406] OBJ_holder_name_constraints */
+    0x55,0x1D,0x46,                                /* [ 8409] OBJ_authorization_validation */
+    0x55,0x1D,0x47,                                /* [ 8412] OBJ_prot_restrict */
+    0x55,0x1D,0x48,                                /* [ 8415] OBJ_subject_alt_public_key_info */
+    0x55,0x1D,0x49,                                /* [ 8418] OBJ_alt_signature_algorithm */
+    0x55,0x1D,0x4A,                                /* [ 8421] OBJ_alt_signature_value */
+    0x55,0x1D,0x4B,                                /* [ 8424] OBJ_associated_information */
 };
 
-#define NUM_NID 1308
+#define NUM_NID 1314
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2482,9 +2488,15 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"allowedAttributeAssignments", "X509v3 Allowed Attribute Assignments", NID_allowed_attribute_assignments, 3, &so[8400]},
     {"attributeMappings", "X509v3 Attribute Mappings", NID_attribute_mappings, 3, &so[8403]},
     {"holderNameConstraints", "X509v3 Holder Name Constraints", NID_holder_name_constraints, 3, &so[8406]},
+    {"authorizationValidation", "X509v3 Authorization Validation", NID_authorization_validation, 3, &so[8409]},
+    {"protRestrict", "X509v3 Protocol Restriction", NID_prot_restrict, 3, &so[8412]},
+    {"subjectAltPublicKeyInfo", "X509v3 Subject Alternative Public Key Info", NID_subject_alt_public_key_info, 3, &so[8415]},
+    {"altSignatureAlgorithm", "X509v3 Alternative Signature Algorithm", NID_alt_signature_algorithm, 3, &so[8418]},
+    {"altSignatureValue", "X509v3 Alternative Signature Value", NID_alt_signature_value, 3, &so[8421]},
+    {"associatedInformation", "X509v3 Associated Information", NID_associated_information, 3, &so[8424]},
 };
 
-#define NUM_SN 1299
+#define NUM_SN 1305
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -2805,11 +2817,14 @@ static const unsigned int sn_objs[NUM_SN] = {
      363,    /* "ad_timestamping" */
      376,    /* "algorithm" */
     1305,    /* "allowedAttributeAssignments" */
+    1311,    /* "altSignatureAlgorithm" */
+    1312,    /* "altSignatureValue" */
      405,    /* "ansi-X9-62" */
      910,    /* "anyExtendedKeyUsage" */
      746,    /* "anyPolicy" */
      370,    /* "archiveCutoff" */
      484,    /* "associatedDomain" */
+    1313,    /* "associatedInformation" */
      485,    /* "associatedName" */
     1295,    /* "attributeDescriptor" */
     1306,    /* "attributeMappings" */
@@ -2818,6 +2833,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      177,    /* "authorityInfoAccess" */
       90,    /* "authorityKeyIdentifier" */
      882,    /* "authorityRevocationList" */
+    1308,    /* "authorizationValidation" */
     1292,    /* "basicAttConstraints" */
       87,    /* "basicConstraints" */
      365,    /* "basicOCSPResponse" */
@@ -3510,6 +3526,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      415,    /* "prime256v1" */
      385,    /* "private" */
       84,    /* "privateKeyUsagePeriod" */
+    1309,    /* "protRestrict" */
      886,    /* "protocolInformation" */
      663,    /* "proxyCertInfo" */
      510,    /* "pseudonym" */
@@ -3724,6 +3741,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      387,    /* "snmpv2" */
      660,    /* "street" */
       85,    /* "subjectAltName" */
+    1310,    /* "subjectAltPublicKeyInfo" */
      769,    /* "subjectDirectoryAttributes" */
      398,    /* "subjectInfoAccess" */
       82,    /* "subjectKeyIdentifier" */
@@ -3787,7 +3805,7 @@ static const unsigned int sn_objs[NUM_SN] = {
     1289,    /* "zstd" */
 };
 
-#define NUM_LN 1299
+#define NUM_LN 1305
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -3994,11 +4012,15 @@ static const unsigned int ln_objs[NUM_LN] = {
     1298,    /* "X509v3 Acceptable Certification Policies" */
     1299,    /* "X509v3 Acceptable Privilege Policies" */
     1305,    /* "X509v3 Allowed Attribute Assignments" */
+    1311,    /* "X509v3 Alternative Signature Algorithm" */
+    1312,    /* "X509v3 Alternative Signature Value" */
      746,    /* "X509v3 Any Policy" */
+    1313,    /* "X509v3 Associated Information" */
     1295,    /* "X509v3 Attribute Descriptor" */
     1306,    /* "X509v3 Attribute Mappings" */
     1290,    /* "X509v3 Authority Attribute Identifier" */
       90,    /* "X509v3 Authority Key Identifier" */
+    1308,    /* "X509v3 Authorization Validation" */
     1292,    /* "X509v3 Basic Attribute Certificate Constraints" */
       87,    /* "X509v3 Basic Constraints" */
      103,    /* "X509v3 CRL Distribution Points" */
@@ -4024,10 +4046,12 @@ static const unsigned int ln_objs[NUM_LN] = {
      401,    /* "X509v3 Policy Constraints" */
      747,    /* "X509v3 Policy Mappings" */
       84,    /* "X509v3 Private Key Usage Period" */
+    1309,    /* "X509v3 Protocol Restriction" */
     1291,    /* "X509v3 Role Specification Certificate Identifier" */
     1303,    /* "X509v3 Single Use" */
     1297,    /* "X509v3 Source of Authority Identifier" */
       85,    /* "X509v3 Subject Alternative Name" */
+    1310,    /* "X509v3 Subject Alternative Public Key Info" */
      769,    /* "X509v3 Subject Directory Attributes" */
       82,    /* "X509v3 Subject Key Identifier" */
     1294,    /* "X509v3 Time Specification" */
@@ -5090,7 +5114,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      125,    /* "zlib compression" */
 };
 
-#define NUM_OBJ 1165
+#define NUM_OBJ 1171
 static const unsigned int obj_objs[NUM_OBJ] = {
        0,    /* OBJ_undef                        0 */
      181,    /* OBJ_iso                          1 */
@@ -5225,6 +5249,12 @@ static const unsigned int obj_objs[NUM_OBJ] = {
     1305,    /* OBJ_allowed_attribute_assignments 2 5 29 67 */
     1306,    /* OBJ_attribute_mappings           2 5 29 68 */
     1307,    /* OBJ_holder_name_constraints      2 5 29 69 */
+    1308,    /* OBJ_authorization_validation     2 5 29 70 */
+    1309,    /* OBJ_prot_restrict                2 5 29 71 */
+    1310,    /* OBJ_subject_alt_public_key_info  2 5 29 72 */
+    1311,    /* OBJ_alt_signature_algorithm      2 5 29 73 */
+    1312,    /* OBJ_alt_signature_value          2 5 29 74 */
+    1313,    /* OBJ_associated_information       2 5 29 75 */
      513,    /* OBJ_set_ctype                    2 23 42 0 */
      514,    /* OBJ_set_msgExt                   2 23 42 1 */
      515,    /* OBJ_set_attr                     2 23 42 3 */

diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
@@ -1305,3 +1305,9 @@ group_ac		1304
 allowed_attribute_assignments		1305
 attribute_mappings		1306
 holder_name_constraints		1307
+authorization_validation		1308
+prot_restrict		1309
+subject_alt_public_key_info		1310
+alt_signature_algorithm		1311
+alt_signature_value		1312
+associated_information		1313
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
@@ -917,6 +917,18 @@ id-ce 67		: allowedAttributeAssignments		: X509v3 Allowed Attribute Assignments
 id-ce 68		: attributeMappings		: X509v3 Attribute Mappings
 !Cname holder-name-constraints
 id-ce 69		: holderNameConstraints	: X509v3 Holder Name Constraints
+!Cname authorization-validation
+id-ce 70		: authorizationValidation : X509v3 Authorization Validation
+!Cname prot-restrict
+id-ce 71		: protRestrict : X509v3 Protocol Restriction
+!Cname subject-alt-public-key-info
+id-ce 72		: subjectAltPublicKeyInfo : X509v3 Subject Alternative Public Key Info
+!Cname alt-signature-algorithm
+id-ce 73		: altSignatureAlgorithm : X509v3 Alternative Signature Algorithm
+!Cname alt-signature-value
+id-ce 74		: altSignatureValue : X509v3 Alternative Signature Value
+!Cname associated-information
+id-ce 75		: associatedInformation : X509v3 Associated Information
 
 # From RFC5280
 ext-key-usage 0		: anyExtendedKeyUsage	: Any Extended Key Usage

diff --git a/crypto/x509/build.info b/crypto/x509/build.info
@@ -17,7 +17,7 @@ SOURCE[../../libcrypto]=\
         v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c \
         x509_acert.c t_acert.c x509aset.c x_ietfatt.c \
         v3_no_rev_avail.c v3_soa_id.c v3_no_ass.c v3_group_ac.c \
-        v3_single_use.c v3_ac_tgt.c v3_audit_id.c v3_bacons.c
+        v3_single_use.c v3_ac_tgt.c v3_audit_id.c v3_bacons.c v3_sda.c
 
 IF[{- !$disabled{'deprecated-3.0'} -}]
   SOURCE[../../libcrypto]=x509type.c

diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h
@@ -34,3 +34,5 @@ extern const X509V3_EXT_METHOD ossl_v3_targeting_information;
 extern const X509V3_EXT_METHOD ossl_v3_audit_identity;
 extern const X509V3_EXT_METHOD ossl_v3_bacons;
 extern const X509V3_EXT_METHOD ossl_v3_delegated_name_constraints;
+extern const X509V3_EXT_METHOD ossl_v3_subj_dir_attrs;
+extern const X509V3_EXT_METHOD ossl_v3_associated_info;
diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h
@@ -63,6 +63,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_name_constraints,
     &ossl_v3_policy_mappings,
     &ossl_v3_inhibit_anyp,
+    &ossl_v3_subj_dir_attrs,
     &ossl_v3_idp,
     &ossl_v3_alt[2],
     &ossl_v3_freshest_crl,
@@ -81,6 +82,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_no_assertion,
     &ossl_v3_single_use,
     &ossl_v3_group_ac,
+    &ossl_v3_associated_info,
 };
 
 /* Number of standard extensions */

diff --git a/crypto/x509/v3_sda.c b/crypto/x509/v3_sda.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+#include "ext_dat.h"
+#include <openssl/pkcs12.h>
+
+static int i2r_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
+                                 ATTRIBUTES_SYNTAX *attrlst,
+                                 BIO *out, int indent);
+
+const X509V3_EXT_METHOD ossl_v3_subj_dir_attrs = {
+    NID_subject_directory_attributes, 0,
+    ASN1_ITEM_ref(ATTRIBUTES_SYNTAX),
+    0, 0, 0, 0,
+    0, 0, 0, 0,
+    (X509V3_EXT_I2R)i2r_ATTRIBUTES_SYNTAX,
+    0,
+    NULL
+};
+
+const X509V3_EXT_METHOD ossl_v3_associated_info = {
+    NID_associated_information, 0,
+    ASN1_ITEM_ref(ATTRIBUTES_SYNTAX),
+    0, 0, 0, 0,
+    0, 0, 0, 0,
+    (X509V3_EXT_I2R)i2r_ATTRIBUTES_SYNTAX,
+    0,
+    NULL
+};
+
+ASN1_ITEM_TEMPLATE(ATTRIBUTES_SYNTAX) =
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Attributes, X509_ATTRIBUTE)
+ASN1_ITEM_TEMPLATE_END(ATTRIBUTES_SYNTAX)
+
+IMPLEMENT_ASN1_FUNCTIONS(ATTRIBUTES_SYNTAX)
+
+static int i2r_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
+                                 ATTRIBUTES_SYNTAX *attrlst,
+                                 BIO *out, int indent)
+{
+    X509_ATTRIBUTE *attr;
+    ASN1_TYPE *av;
+    int i, j, attr_nid;
+    if (!attrlst) {
+        BIO_printf(out, "<No Attributes>\n");
+        return 1;
+    }
+    if (!sk_X509_ATTRIBUTE_num(attrlst)) {
+        BIO_printf(out, "<Empty Attributes>\n");
+        return 1;
+    }
+    for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
+        ASN1_OBJECT *attr_obj;
+        attr = sk_X509_ATTRIBUTE_value(attrlst, i);
+        attr_obj = X509_ATTRIBUTE_get0_object(attr);
+        attr_nid = OBJ_obj2nid(attr_obj);
+        if (indent && BIO_printf(out, "%*s", indent, "") <= 0)
+            return 0;
+        if (attr_nid == NID_undef) {
+            i2a_ASN1_OBJECT(out, attr_obj);
+            BIO_printf(out, ":\n");
+        } else {
+            BIO_printf(out, "%s:\n", OBJ_nid2ln(attr_nid));
+        }
+
+        if (X509_ATTRIBUTE_count(attr)) {
+            for (j = 0; j < X509_ATTRIBUTE_count(attr); j++)
+            {
+                av = X509_ATTRIBUTE_get0_type(attr, j);
+                if (BIO_printf(out, "%*s", indent + 4, "") <= 0)
+                    return 0;
+                print_attribute_value(out, attr_nid, av);
+                BIO_printf(out, "\n");
+            }
+        } else {
+            if (BIO_printf(out, "%*s<No Values>\n", indent + 4, "") <= 0)
+                return 0;
+        }
+    }
+    return 1;
+}