Hi all,
I have made a try to parse attribute certificate by writing attribute certificate ASN.1 structures myself after knowing that OpenSSL yet has no support for attribute certificate. I am getting error right at the beginning that is on d2i_X509AC(). It complains with the error message "Wrong Tag". It appears to me that I have some mistake in my attribute certificate
ASN.1 structures declarations. I am attaching the source files alongwith the attribute certificate. OpenSSL gurus please help on this.
Regards,
Hashim Saleem
/* x509ac.h */ /* Copyright (C) 1995-1998 Eric Young ([EMAIL PROTECTED]) * All rights reserved. * * This package is an SSL implementation written * by Eric Young ([EMAIL PROTECTED]). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson ([EMAIL PROTECTED]). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young ([EMAIL PROTECTED])" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson ([EMAIL PROTECTED])" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */
#ifndef HEADER_X509AC_H
#define HEADER_X509AC_H
#include <openssl/stack.h>
#include <openssl/asn1.h>
#include <openssl/safestack.h>
#ifdef __cplusplus
extern "C" {
#endif
/* IssuerSerial ::= SEQUENCE {
* issuer GeneralNames,
* serial CertificateSerialNumber,
* issuerUID UniqueIdentifier OPTIONAL}
*/
typedef struct X509AC_issuer_serial_st
{
STACK_OF(GENERAL_NAME) *issuer;
ASN1_INTEGER *serialNumber;
ASN1_BIT_STRING *issuerUID;
} X509AC_ISSUER_SERIAL;
DECLARE_ASN1_FUNCTIONS(X509AC_ISSUER_SERIAL)
/* ObjectDigestInfo ::= SEQUENCE {
* digestedObjectType ENUMERATED {
* publicKey (0),
* publicKeyCert (1),
* otherObjectTypes (2) }, -- otherObjectTypes MUST NOT be
used in this profile
* otherObjectTypeID OBJECT IDENTIFIER OPTIONAL,
* digestAlgorithm AlgorithmIdentifier,
* objectDigest BIT STRING}
*/
typedef struct X509AC_object_digest_info_st
{
ASN1_ENUMERATED *digestedObjectType;
ASN1_OBJECT *otherObjectTypeID;
X509_ALGOR *digestAlgorithm;
ASN1_BIT_STRING *objectDigest;
} X509AC_OBJECT_DIGEST_INFO;
DECLARE_ASN1_FUNCTIONS(X509AC_OBJECT_DIGEST_INFO)
/* Holder ::= SEQUENCE {
* baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial
number of the holder's Public Key Certificate
* entityName [1] GeneralNames OPTIONAL, -- the name of the
claimant or role
* objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- if present,
version must be v2 }
*/
typedef struct X509AC_holder_st
{
X509AC_ISSUER_SERIAL *baseCertificateID;
STACK_OF(GENERAL_NAME) *entityName;
X509AC_OBJECT_DIGEST_INFO *objectDigestInfo;
} X509AC_HOLDER;
DECLARE_ASN1_FUNCTIONS(X509AC_HOLDER)
/* V2Form ::= SEQUENCE {
* issuerName GeneralNames OPTIONAL,
* baseCertificateID [0] IssuerSerial OPTIONAL,
* objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- at least one of
issuerName, baseCertificateID or objectDigestInfo MUST be present}
*/
typedef struct X509AC_v2form_st
{
STACK_OF(GENERAL_NAME) *issuerName;
X509AC_ISSUER_SERIAL *baseCertificateID;
X509AC_OBJECT_DIGEST_INFO *objectDigestInfo;
} X509AC_V2FORM;
DECLARE_ASN1_FUNCTIONS(X509AC_V2FORM)
/* AttCertIssuer ::= CHOICE {
* v1Form GeneralNames, -- v1 or v2
* v2Form [0] V2Form -- v2 only}
*/
#define V_X509AC_ATTCERTISSUER_V1FORM 0
#define V_X509AC_ATTCERTISSUER_V2FORM 1
typedef struct X509AC_attcert_issuer_st
{
int type;
union {
STACK_OF(GENERAL_NAME) *v1Form;
X509AC_V2FORM *v2Form;
} value;
} X509AC_ATTCERT_ISSUER;
DECLARE_ASN1_FUNCTIONS(X509AC_ATTCERT_ISSUER)
/* AttCertValidityPeriod ::= SEQUENCE {
* notBeforeTime GeneralizedTime,
* notAfter GeneralizedTime }
*/
typedef struct X509AC_attcert_validity_period_st
{
ASN1_GENERALIZEDTIME *notBeforeTime;
ASN1_GENERALIZEDTIME *notAfter;
} X509AC_ATTCERT_VALIDITY_PERIOD;
DECLARE_ASN1_FUNCTIONS(X509AC_ATTCERT_VALIDITY_PERIOD)
/* AttributeCertificateInfo ::= SEQUENCE {
* version AttCertVersion DEFAULT v1,
* holder Holder,
* issuer AttCertIssuer,
* signature AlgorithmIdentifier,
* serialNumber CertificateSerialNumber,
* attrCertValidityPeriod AttCertValidityPeriod,
* attributes SEQUENCE OF Attribute,
* issuerUniqueID UniqueIdentifier OPTIONAL,
* extensions Extensions OPTIONAL }
*/
typedef struct X509AC_attribute_cert_info_st
{
ASN1_INTEGER *version;
X509AC_HOLDER *holder;
X509AC_ATTCERT_ISSUER *issuer;
X509_ALGOR *signature;
ASN1_INTEGER *serialNumber;
X509AC_ATTCERT_VALIDITY_PERIOD *attrCertValidityPeriod;
STACK_OF(X509_ATTRIBUTE) *attributes;
ASN1_BIT_STRING *issuerUniqueID;
STACK_OF(X509_EXTENSION) *extensions;
} X509AC_ATTCERT_INFO;
DECLARE_ASN1_FUNCTIONS(X509AC_ATTCERT_INFO)
/* AttributeCertificate ::= SEQUENCE {
* acinfo AttributeCertificateInfo,
* signatureAlgorithm AlgorithmIdentifier,
* signatureValue BIT STRING}
*/
typedef struct X509AC_st
{
X509AC_ATTCERT_INFO *acinfo;
X509_ALGOR *signatureAlgorithm;
ASN1_BIT_STRING *signatureValue;
} X509AC;
DECLARE_ASN1_FUNCTIONS(X509AC)
#ifdef __cplusplus
}
#endif
#endif/* x509ac_asn.c */ /* Written by Dr Stephen N Henson ([EMAIL PROTECTED]) for the OpenSSL * project 2000. */ /* ==================================================================== * Copyright (c) 2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * [EMAIL PROTECTED] * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * ([EMAIL PROTECTED]). This product includes software written by Tim * Hudson ([EMAIL PROTECTED]). * */ #include <openssl/asn1.h> #include <openssl/asn1t.h> #include <openssl/x509v3.h> #include "openssl/x509ac.h" #define IMPLEMENT_ASN1_DUP_FUNCTION_EX(stname) \ stname * stname##_dup(stname *x) \ { \ return (stname *) ASN1_item_dup(ASN1_ITEM_rptr(stname), x); \ } /* IssuerSerial ::= SEQUENCE { * issuer GeneralNames, * serial CertificateSerialNumber, * issuerUID UniqueIdentifier OPTIONAL} */ ASN1_SEQUENCE(X509AC_ISSUER_SERIAL) = { ASN1_SEQUENCE_OF(X509AC_ISSUER_SERIAL, issuer, GENERAL_NAME), ASN1_SIMPLE(X509AC_ISSUER_SERIAL, serialNumber, ASN1_INTEGER), ASN1_OPT(X509AC_ISSUER_SERIAL, issuerUID, ASN1_BIT_STRING) } ASN1_SEQUENCE_END(X509AC_ISSUER_SERIAL) IMPLEMENT_ASN1_FUNCTIONS(X509AC_ISSUER_SERIAL) IMPLEMENT_ASN1_DUP_FUNCTION_EX(X509AC_ISSUER_SERIAL) /* ObjectDigestInfo ::= SEQUENCE { * digestedObjectType ENUMERATED { * publicKey (0), * publicKeyCert (1), * otherObjectTypes (2) }, -- otherObjectTypes MUST NOT be used in this profile * otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, * digestAlgorithm AlgorithmIdentifier, * objectDigest BIT STRING} */ ASN1_SEQUENCE(X509AC_OBJECT_DIGEST_INFO) = { ASN1_SIMPLE(X509AC_OBJECT_DIGEST_INFO, digestedObjectType, ASN1_ENUMERATED), ASN1_SIMPLE(X509AC_OBJECT_DIGEST_INFO, otherObjectTypeID, ASN1_OBJECT), ASN1_SIMPLE(X509AC_OBJECT_DIGEST_INFO, digestAlgorithm, X509_ALGOR), ASN1_SIMPLE(X509AC_OBJECT_DIGEST_INFO, objectDigest, ASN1_BIT_STRING) } ASN1_SEQUENCE_END(X509AC_OBJECT_DIGEST_INFO) IMPLEMENT_ASN1_FUNCTIONS(X509AC_OBJECT_DIGEST_INFO) IMPLEMENT_ASN1_DUP_FUNCTION_EX(X509AC_OBJECT_DIGEST_INFO) /* Holder ::= SEQUENCE { * baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial number of the holder's Public Key Certificate * entityName [1] GeneralNames OPTIONAL, -- the name of the claimant or role * objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- if present, version must be v2 } */ ASN1_SEQUENCE(X509AC_HOLDER) = { ASN1_OPT(X509AC_HOLDER, baseCertificateID, X509AC_ISSUER_SERIAL), ASN1_SEQUENCE_OF_OPT(X509AC_HOLDER, entityName, GENERAL_NAME), ASN1_OPT(X509AC_HOLDER, objectDigestInfo, X509AC_OBJECT_DIGEST_INFO) } ASN1_SEQUENCE_END(X509AC_HOLDER) IMPLEMENT_ASN1_FUNCTIONS(X509AC_HOLDER) IMPLEMENT_ASN1_DUP_FUNCTION_EX(X509AC_HOLDER) /* AttCertValidityPeriod ::= SEQUENCE { * notBeforeTime GeneralizedTime, * notAfter GeneralizedTime } */ ASN1_SEQUENCE(X509AC_ATTCERT_VALIDITY_PERIOD) = { ASN1_SIMPLE(X509AC_ATTCERT_VALIDITY_PERIOD, notBeforeTime, ASN1_GENERALIZEDTIME), ASN1_SIMPLE(X509AC_ATTCERT_VALIDITY_PERIOD, notAfter, ASN1_GENERALIZEDTIME) } ASN1_SEQUENCE_END(X509AC_ATTCERT_VALIDITY_PERIOD) IMPLEMENT_ASN1_FUNCTIONS(X509AC_ATTCERT_VALIDITY_PERIOD) IMPLEMENT_ASN1_DUP_FUNCTION_EX(X509AC_ATTCERT_VALIDITY_PERIOD) /* V2Form ::= SEQUENCE { * issuerName GeneralNames OPTIONAL, * baseCertificateID [0] IssuerSerial OPTIONAL, * objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- at least one of issuerName, baseCertificateID or objectDigestInfo MUST be present} */ ASN1_SEQUENCE(X509AC_V2FORM) = { ASN1_SEQUENCE_OF_OPT(X509AC_V2FORM, issuerName, GENERAL_NAME), ASN1_OPT(X509AC_V2FORM, baseCertificateID, X509AC_ISSUER_SERIAL), ASN1_OPT(X509AC_V2FORM, objectDigestInfo, X509AC_OBJECT_DIGEST_INFO) } ASN1_SEQUENCE_END(X509AC_V2FORM) IMPLEMENT_ASN1_FUNCTIONS(X509AC_V2FORM) IMPLEMENT_ASN1_DUP_FUNCTION_EX(X509AC_V2FORM) /* AttCertIssuer ::= CHOICE { * v1Form GeneralNames, -- v1 or v2 * v2Form [0] V2Form -- v2 only} */ ASN1_CHOICE(X509AC_ATTCERT_ISSUER) = { ASN1_SEQUENCE_OF(X509AC_ATTCERT_ISSUER, value.v1Form, GENERAL_NAME), ASN1_SIMPLE(X509AC_ATTCERT_ISSUER, value.v2Form, X509AC_V2FORM) } ASN1_CHOICE_END(X509AC_ATTCERT_ISSUER) IMPLEMENT_ASN1_FUNCTIONS(X509AC_ATTCERT_ISSUER) IMPLEMENT_ASN1_DUP_FUNCTION_EX(X509AC_ATTCERT_ISSUER) /* AttributeCertificateInfo ::= SEQUENCE { * version AttCertVersion DEFAULT v1, * holder Holder, * issuer AttCertIssuer, * signature AlgorithmIdentifier, * serialNumber CertificateSerialNumber, * attrCertValidityPeriod AttCertValidityPeriod, * attributes SEQUENCE OF Attribute, * issuerUniqueID UniqueIdentifier OPTIONAL, * extensions Extensions OPTIONAL } */ ASN1_SEQUENCE(X509AC_ATTCERT_INFO) = { ASN1_SIMPLE(X509AC_ATTCERT_INFO, version, ASN1_INTEGER), ASN1_SIMPLE(X509AC_ATTCERT_INFO, holder, X509AC_HOLDER), ASN1_SIMPLE(X509AC_ATTCERT_INFO, issuer, X509AC_ATTCERT_ISSUER), ASN1_SIMPLE(X509AC_ATTCERT_INFO, signature, X509_ALGOR), ASN1_SIMPLE(X509AC_ATTCERT_INFO, serialNumber, ASN1_INTEGER), ASN1_SIMPLE(X509AC_ATTCERT_INFO, attrCertValidityPeriod, X509AC_ATTCERT_VALIDITY_PERIOD), ASN1_SEQUENCE_OF(X509AC_ATTCERT_INFO, attributes, X509_ATTRIBUTE), ASN1_OPT(X509AC_ATTCERT_INFO, issuerUniqueID, ASN1_BIT_STRING), ASN1_SEQUENCE_OF_OPT(X509AC_ATTCERT_INFO, extensions, X509_EXTENSION) } ASN1_SEQUENCE_END(X509AC_ATTCERT_INFO) IMPLEMENT_ASN1_FUNCTIONS(X509AC_ATTCERT_INFO) IMPLEMENT_ASN1_DUP_FUNCTION_EX(X509AC_ATTCERT_INFO) /* AttributeCertificate ::= SEQUENCE { * acinfo AttributeCertificateInfo, * signatureAlgorithm AlgorithmIdentifier, * signatureValue BIT STRING} */ ASN1_SEQUENCE(X509AC) = { ASN1_SIMPLE(X509AC, acinfo, X509AC_ATTCERT_INFO), ASN1_SIMPLE(X509AC, signatureAlgorithm, X509_ALGOR), ASN1_SIMPLE(X509AC, signatureValue, ASN1_BIT_STRING) } ASN1_SEQUENCE_END(X509AC) IMPLEMENT_ASN1_FUNCTIONS(X509AC) IMPLEMENT_ASN1_DUP_FUNCTION_EX(X509AC)
AttribCert.ber
Description: Binary data
